pfSense Support Subscription

Author Topic: CARP - NAT  (Read 200 times)

0 Members and 1 Guest are viewing this topic.

Offline hancke

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
CARP - NAT
« on: October 08, 2017, 06:04:12 pm »
The CARP docs state to use Manual Outbound NAT and warns against NAT rules for "WAN/Public IP addresses of the cluster".   Does that include any public IP configured as a CARP IP on WAN?  Any issues using Hybrid NAT?

https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)#Setup_Manual_Outbound_NAT

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9098
  • Karma: +1037/-307
    • View Profile
Re: CARP - NAT
« Reply #1 on: October 09, 2017, 02:55:09 am »
You just need to make sure that all outbound NAT (and inbound connections/port forwards, VPN bindings, etc) are on addresses that will swing between the nodes in a CARP event.

These can be CARP VIPs or IP Aliases riding on CARP VIPs. If you have a subnet routed to one of those, that will also work.

If you terminate connections on the interface address, that address will only exist on one node not the other so if there is a failover event, the pfsynced state on the other node will be invalid and the connection will die.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline hancke

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: CARP - NAT
« Reply #2 on: October 09, 2017, 08:58:29 am »
Makes sense!  Thanks!   I read that to say that Hybrid NAT will not work since it auto-creates rules.  My CARP backup node has been crashing (unresponsive), I suspect this is the culprit.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9098
  • Karma: +1037/-307
    • View Profile
Re: CARP - NAT
« Reply #3 on: October 09, 2017, 10:20:24 am »
You can use Hybrid if you want, but you still have to override all of the auto rules. It makes sense to get all of your interfaces configured, then switch to manual NAT so all the rules are automatically generated for you. Then just flip them all to an appropriate VIP.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline oeawallis

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: CARP - NAT
« Reply #4 on: October 13, 2017, 08:32:04 am »
You can use Hybrid if you want, but you still have to override all of the auto rules. It makes sense to get all of your interfaces configured, then switch to manual NAT so all the rules are automatically generated for you. Then just flip them all to an appropriate VIP.

if i set my pfsense into Hybrid NAT using CARP the machine is frozen and has to be hard reseted!
I also suffer strange behaviour using CARP and NATing
-> https://forum.pfsense.org/index.php?topic=137984.0

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9098
  • Karma: +1037/-307
    • View Profile
Re: CARP - NAT
« Reply #5 on: October 13, 2017, 11:02:32 am »
Then you are doing it wrong somehow.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM