How to use NAT 1:1 with HA / CARP

GhengisT

Hey guys,

I'm working on cluster deployment and I'm having issues making the NAT 1:1 rules work. Running pfSense 2.2.6 on two Dell PowerEdge 1950s, 4 NICs total.

My configs for box one and two is as follows:

LAN = x.x.x.250/24 and x.x.x.251/24
WAN = x.x.x.36/28 and x.x.x.37/28
SYNC = x.x.x.1/30 and x.x.x.2/30

LAN CARP = x.x.x.21/24
WAN CARP = x.x.x.35/28

The HA and sync appears to be working perfectly. Per the manual, I changed outbound NAT to manual and set the CARP address for each interface

Now, I've created a NAT 1:1 entry for (WAN address) x.x.x.38/28 > x.x.x.225/24 (LAN address). Then I created a new CARP address for the same WAN IP x.x.x.38/28.

Immediately, the devices loses internet access and I'm missing the reason as to why.

Any pfsense gurus that see an error in my config?

Derelict

Now, I've created a NAT 1:1 entry for (WAN address) x.x.x.38/28 > x.x.x.225/24 (LAN address). Then I created a new CARP address for the same WAN IP x.x.x.38/28.

Are you actually using these netmasks in your 1:1 NAT entry? How, exactly, are you configuring the 1:1?

GhengisT

Hi Derelict,

Thanks for taking the time to respond. The NAT 1:1 entry doesn't allow me to specify netmasks, just external and internal IPs. Essentially, I configured a CARP VIP for the external IP that I want to use, then created a NAT 1:1 entry to map that same CARP VIP to an inside IP address. I'm testing from my primary WAN circuit and this pfsense cluster is live on our backup WAN circuit- neither circuit is connected to same equipment, it's a true outside attempt to connect. I've included screenshots of my config if you don't mind taking a look at them.

I'm wondering if this has something to do with the outbound NAT rules, although they should be configured per the guide. I disabled automatic outbound nat rules and switched to manual. Then I reconfigured each rule use the shared CARP VIP, and from my tests, appears to be working correctly.

carp-status.jpg_thumb

nat-1-1.jpg_thumb

outbound-nat.jpg_thumb

vip-carp.jpg_thumb

GhengisT

@GhengisT:

Hi Derelict,

Thanks for taking the time to respond. The NAT 1:1 entry doesn't allow me to specify netmasks, just external and internal IPs.

My mistake, I revisited the page and it does allow me to specify entire networks, etc. In this case, I only specified single host addresses.

Derelict

So for the 1:1 NAT entry Single host is selected for Internal IP?

All of the netmasks on all the CARP VIPs on your L3 circuit should be /28. Not that it's causing this problem.

Enabling that 1:1 NAT should not stop any traffic.

How about a screen shot of the 1:1 NAT edit screen?

GhengisT

@Derelict:

So for the 1:1 NAT entry Single host is selected for Internal IP?

All of the netmasks on all the CARP VIPs on your L3 circuit should be /28. Not that it's causing this problem.

Enabling that 1:1 NAT should not stop any traffic.

How about a screen shot of the 1:1 NAT edit screen?

Ah, good eye on the /28 CARP IPs. Although, I'm attempting to reach an IP on the WAN_COX circuit (WAN_L3 isn't connected yet).

Initially I was thinking that it was an incorrect outbound NAT rule, however without the 1:1 rule enabled, the device at 192.168.4.225 has no problem reaching the internet.

Screenshot of the 1:1 edit is below.

pfsense-1-1edit.png_thumb