pfSense Gold Subscription

Author Topic: CARP Secondary Unreachable Over VPN  (Read 82 times)

0 Members and 1 Guest are viewing this topic.

Offline rafel.amer

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
CARP Secondary Unreachable Over VPN
« on: November 06, 2017, 04:44:01 am »
I have readed the document https://doc.pfsense.org/index.php/CARP_Secondary_Unreachable_Over_VPN, but I don't understand where apply the manual outbound NAT.
In the primary, secondary or both servers?

Can someone explain me step by step, how to configure the rule for outbound NAT and where?
The local address  of the openVPN in the master is

ovpns1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
   options=80000<LINKSTATE>
   inet6 fe80::224:81ff:fe7e:43e1%ovpns1 prefixlen 64 scopeid 0xb
   inet 10.11.8.1 --> 10.11.8.2  netmask 0xffffffff
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   groups: tun openvpn
   Opened by PID 42792

Thanks

Rafel Amer

Offline viragomann

  • Hero Member
  • *****
  • Posts: 2497
  • Karma: +264/-1
    • View Profile
Re: CARP Secondary Unreachable Over VPN
« Reply #1 on: November 06, 2017, 06:27:19 am »
The rule should be active on both, so you can also access FW1 while FW2 is master. However, since you will have activated NAT rule sync in System > High Availability Sync you only need to set it on FW1 and must set up a rule, which can work on both.

Assuming you want to access your firewall by their LAN IPs:
First add an alias for both LAN IPs, the master and backup. Firewall > Aliases > IP. Call it e.g. FW1_2_LAN.
Go to Firewall > NAT > Outbound. If the Outbound NAT Mode is set to Automatic check "Hybrid Outbound NAT rule generation" and hit Save below.
Then add a new rule:
Interface: LAN
Protocol: TCP
Source: <VPN tunnel subnet>
Destination: "Network" and enter "FW1_2_LAN" (the alias you've added first)
Translation Address: Interface address
Save the rule.

Now source addresses of outgoing packets leaving the masters LAN interface destined for the backups LAN are translated to the masters LAN address, so the backup sends its responses back to the master and they are directed back to the VPN client. This also works reverse on the other firewall while it's the master and the vpn client is connected to it.