pfSense Support Subscription

Author Topic: NAT Trouble with CARP  (Read 164 times)

0 Members and 1 Guest are viewing this topic.

Offline oeawallis

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
NAT Trouble with CARP
« on: October 13, 2017, 08:24:41 am »
Hello everybody!

We are facing strange behavior with our pfsense HA Cluster:

Outbound-NAT on the Master (which is replicated to the slave as well), is set to Manual (AON).
We configured for each vlan:

Interface
Source
Source Port
Destination
Destination Port
NAT Address
NAT Port
Static Port
WAN
192.168.100.0/24
*
*
*
CARP-VIP (193.x.y.z)
*
randomize port
WAN
192.168.100.0/24
*
*
500
CARP-VIP (193.x.y.z)
*
static port

Now, when i apply these settings to the pfsense (lates version 2.4.0-RELEASE) and then go to one of my VLAN Clients, it comes to crazy dl/ul values.
Our Machines (NEMONIX servers) are equiped with 10GB copper cards. We have also gigabit uplinks connected to it.
We do not use any limiters or traffic shaping.

using the AON (manual) config i get


BUT when i switch to Automatic NAT (which does not use our outbound NAT VIP for sure) i get:

(download is limited by some network hardware seemingly haha)


can anybody explain to me WHY?
If you need to see any further config let me know

thanks and have yourselves a nice day !

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9088
  • Karma: +1037/-306
    • View Profile
Re: NAT Trouble with CARP
« Reply #1 on: October 13, 2017, 11:04:15 am »
Probably something to do with your upstream and that other IP/MAC address. pfSense does not care.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline oeawallis

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: NAT Trouble with CARP
« Reply #2 on: October 13, 2017, 12:38:21 pm »
Probably something to do with your upstream and that other IP/MAC address. pfSense does not care.

what would the upstream has to do with the other IP/MAC? Sorry but I dont get what you mean  ???  :-\

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9088
  • Karma: +1037/-306
    • View Profile
Re: NAT Trouble with CARP
« Reply #3 on: October 13, 2017, 01:46:36 pm »
Hard to say. But if the only difference is the CARP address being used for NAT that is where I would look.

ISPs do crazy things.

Also, you want to move that static port 500 NAT rule above the rule since, if left like that, it will never be matched. Unrelated to your speed issue. Just sayin'.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM