pfSense Gold Subscription

Author Topic: NAT 1:1 on CARP VIP  (Read 140 times)

0 Members and 1 Guest are viewing this topic.

Offline Ap0p0

  • Newbie
  • *
  • Posts: 24
  • Karma: +0/-0
    • View Profile
NAT 1:1 on CARP VIP
« on: December 02, 2017, 06:22:09 pm »
Hi all,

I have a /28 WAN network and I have a HA cluster with 2 boxes. My NICs are as follow:

for master and backup:
WAN: x.x.x.201/28 and x.x.x.202/28 => VIP x.x.x.203/28
LAN interface that I want to use: y.y.y.1/16 and y.y.y.2/16 ==> VIP y.y.y.3/16

I need to use a public IP x.x.x.200 on a local device y.y.y.8

I added a NAT 1:1 entry with:
interface: WAN
externat subnet IP: x.x.x.200
internal IP: network y.y.y.8/32
destination: any
NAT reflection: none

Then I added an IP alias on CARP WAN (x.x.x.203) with x.x.x.200/28

After that, the CARP status shows both IPs 203 and 208 as master on box 1 and backup on box 2. It appears to be OK.

Finaly, I added a firewal rule on WAN interface to allow any source/any protocol to x.x.x.200 (just to try)

My local device y.y.y.8 have Internet access and source IP is OK (y.y.y.200). But when I try to simply ping x.x.x.200 from outside, I can see my requests on WAN interface, but nothing goes to my local device (firewall disabled on it).

So, it appears I can only use x.x.x.200 from LAN o WAN and not from WAN to LAN.

Is a pfSense guru can help me? :-) Where am I wrong?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9241
  • Karma: +1052/-308
    • View Profile
Re: NAT 1:1 on CARP VIP
« Reply #1 on: December 03, 2017, 02:45:57 am »
Quote
Finaly, I added a firewal rule on WAN interface to allow any source/any protocol to x.x.x.200 (just to try)

Firewall rules for inbound traffic are processed after NAT occurs. That rule needs to pass traffic to the real address of the server, y.y.y.8.

https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

(I realize you are using 1:1 but almost all of the port forwarding principles still apply in that case.)
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Ap0p0

  • Newbie
  • *
  • Posts: 24
  • Karma: +0/-0
    • View Profile
Re: NAT 1:1 on CARP VIP
« Reply #2 on: December 03, 2017, 05:22:32 am »
Hi Derelict,

thank you for you for your time!

Ok, so my firewall rule must be: WAN interface, allow any source/any protocol to y.y.y.8 or something like this. I'll try this and come back here. I think I have to disable bogon rules so?

You are saying I can do NAT port forwarding: like all port to x.x.x.200 forward to y.y.y.8? and specific SNAT rule for y.y.y.8 to x.x.x.200?

Offline Ap0p0

  • Newbie
  • *
  • Posts: 24
  • Karma: +0/-0
    • View Profile
Re: NAT 1:1 on CARP VIP
« Reply #3 on: December 03, 2017, 07:02:43 am »
I just changed my firewall rule and it works!!!! thx!! :)

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9241
  • Karma: +1052/-308
    • View Profile
Re: NAT 1:1 on CARP VIP
« Reply #4 on: December 03, 2017, 11:16:43 am »
Quote
You are saying I can do NAT port forwarding: like all port to x.x.x.200 forward to y.y.y.8? and specific SNAT rule for y.y.y.8 to x.x.x.200?

1:1 NAT does both. Your problem was the rule wasn't passing the correct destination address because the rule needs to pass the post-NAT address.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Ap0p0

  • Newbie
  • *
  • Posts: 24
  • Karma: +0/-0
    • View Profile
Re: NAT 1:1 on CARP VIP
« Reply #5 on: December 03, 2017, 01:32:00 pm »
Thank you mate!!!! yes, corrected firewall rule and works immediately as expected! :-)