I had a nice failover setup working with OpenVPN and Multi-WAN, using 'any' binding. After I added CARP VIP's, this stopped working:https://redmine.pfsense.org/issues/2273
Chris says there, "In some circumstances with multi-WAN you can't use any and that's probably where you're going wrong."
Can anybody explain what those circumstances are? I'd like to offer a patch that would keep users out of that situation.
I've tried port forwarding from my WAN CARP address to the LAN CARP address. This works for TCP OpenVPN connections, but for UDP OpenVPN connections, it doesn't. If I try logging on the associated filter rule, I never see anything. If I capture packets on the hardware interface, I see inbound packets. If I capture on the 'vip' interface, I don't see any packets (should I?).
Anyway, I suspect somehow TCP's state tracking is helping NAT work here, but I've seen others post that they've got this working with UDP, so I'm wondering what might be different.