next »

[bill_mcgonigle]

Hi, all,

I had a nice failover setup working with OpenVPN and Multi-WAN, using 'any' binding.  After I added CARP VIP's, this stopped working:

https://redmine.pfsense.org/issues/2273

Chris says there, "In some circumstances with multi-WAN you can't use any and that's probably where you're going wrong."

Question 1:

Can anybody explain what those circumstances are?  I'd like to offer a patch that would keep users out of that situation.

Question 2:

I've tried port forwarding from my WAN CARP address to the LAN CARP address.  This works for TCP OpenVPN connections, but for UDP OpenVPN connections, it doesn't.  If I try logging on the associated filter rule, I never see anything.  If I capture packets on the hardware interface, I see inbound packets.  If I capture on the 'vip' interface, I don't see any packets (should I?).

Anyway, I suspect somehow TCP's state tracking is helping NAT work here, but I've seen others post that they've got this working with UDP, so I'm wondering what might be different.

[jimp]

With UDP on multi-WAN, the return traffic will follow the default route when bound to "any", it has nothing to do with CARP.

The usual fix is to bind the OpenVPN instance to the LAN address and add port forwards from each WAN into the LAN IP on the OpenVPN port. Works just fine that way.