Netgate Store

Author Topic: OpenVPN + CARP + MultiWAN  (Read 1926 times)

0 Members and 1 Guest are viewing this topic.

Offline bill_mcgonigle

  • Jr. Member
  • **
  • Posts: 45
  • Karma: +0/-0
    • View Profile
OpenVPN + CARP + MultiWAN
« on: March 09, 2012, 02:56:47 am »
Hi, all,

I had a nice failover setup working with OpenVPN and Multi-WAN, using 'any' binding.  After I added CARP VIP's, this stopped working:

Chris says there, "In some circumstances with multi-WAN you can't use any and that's probably where you're going wrong."

Question 1:

Can anybody explain what those circumstances are?  I'd like to offer a patch that would keep users out of that situation.

Question 2:

I've tried port forwarding from my WAN CARP address to the LAN CARP address.  This works for TCP OpenVPN connections, but for UDP OpenVPN connections, it doesn't.  If I try logging on the associated filter rule, I never see anything.  If I capture packets on the hardware interface, I see inbound packets.  If I capture on the 'vip' interface, I don't see any packets (should I?).

Anyway, I suspect somehow TCP's state tracking is helping NAT work here, but I've seen others post that they've got this working with UDP, so I'm wondering what might be different.
« Last Edit: March 09, 2012, 03:11:11 am by bill_mcgonigle »

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21840
  • Karma: +1526/-26
    • View Profile
Re: OpenVPN + CARP + MultiWAN
« Reply #1 on: March 13, 2012, 02:06:50 pm »
With UDP on multi-WAN, the return traffic will follow the default route when bound to "any", it has nothing to do with CARP.

The usual fix is to bind the OpenVPN instance to the LAN address and add port forwards from each WAN into the LAN IP on the OpenVPN port. Works just fine that way.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!