Netgate SG-1000 microFirewall

Author Topic: NAT port forward from CARP IP to WAN IP for OpenVPN  (Read 130 times)

0 Members and 1 Guest are viewing this topic.

Offline TheLimey

  • Jr. Member
  • **
  • Posts: 25
  • Karma: +1/-0
  • ITM slaves
    • View Profile
NAT port forward from CARP IP to WAN IP for OpenVPN
« on: January 17, 2018, 05:19:30 pm »
My CARP failover is working great, and so is OpenVPN access via the WAN IP of each firewall.

I would like to use OpenVPN through the WAN CARP IP, so users can use the VPN regardless of the master FW. I can see where to setup the NAT port forwarding rule to forward from the CARP IP to the WAN IP, but there is no drop down for target IP to select "WAN", I have to put in an IP (or alias which doesn't help). This is fine until it sync's to the backup server which obviously has a different WAN IP.

I can work around this by setting the rule not to sync, and then creating a matching rule on the backup server with it's own IP, but it seems like it should be possible to do this without that extra overhead.

I tried running OpenVPN on the WAN CARP IP, with OpenVPN traffic to the actual WAN IP forwarding to the CARP IP, which would have solved the issue. Unfortunately that stops the OpenVPN server on the backups FW from running when it's not the master of the WAN interface. >:(

Any ideas how to achieve my goal?
Everything is easy when you know how, ...and have the right tools, ...and the time, ...and money.

Offline TheLimey

  • Jr. Member
  • **
  • Posts: 25
  • Karma: +1/-0
  • ITM slaves
    • View Profile
Re: NAT port forward from CARP IP to WAN IP for OpenVPN
« Reply #1 on: January 17, 2018, 05:27:17 pm »
...I take back my workaround idea. The rule I create on the backup is removed when I save any changes to the rule on the primary.  :o
Everything is easy when you know how, ...and have the right tools, ...and the time, ...and money.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9811
  • Karma: +1107/-311
    • View Profile
Re: NAT port forward from CARP IP to WAN IP for OpenVPN
« Reply #2 on: January 17, 2018, 05:57:35 pm »
Tell your OpenVPN server to listen on localhost.

Create a port forward that forwards your CARP VIP:OpenVPN to 127.0.0.1:OpenVPN port with tracked firewall rules.

Tell your clients to connect to CARP VIP:OpenVPN Port.

And you're done.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline TheLimey

  • Jr. Member
  • **
  • Posts: 25
  • Karma: +1/-0
  • ITM slaves
    • View Profile
Re: NAT port forward from CARP IP to WAN IP for OpenVPN
« Reply #3 on: January 18, 2018, 11:04:57 am »
GENIUS!!! I knew there must be a simple answer. Thank-you very, very much!  :)
Everything is easy when you know how, ...and have the right tools, ...and the time, ...and money.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9811
  • Karma: +1107/-311
    • View Profile
Re: NAT port forward from CARP IP to WAN IP for OpenVPN
« Reply #4 on: January 18, 2018, 01:34:18 pm »
Excellent.

In that configuration the server is running on both nodes all the time. Whichever holds the CARP VIP gets the traffic from the clients.

You can also bind the openvpn server to the CARP VIP (select that instead of WAN in the server config). That makes the server die on the BACKUP node and start on the MASTER node.

I like the port forward technique because it results in fewer things that have to happen on a failover event. Especially as the number of server processes goes up.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM