OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: incirrata on December 03, 2018, 06:31:48 pm

Title: Configuring CARP outbound NAT correctly?
Post by: incirrata on December 03, 2018, 06:31:48 pm
I set up CARP using the OPNsense docs, and it mostly works; the firewalls sync and failover correctly. For the sake of example, let's say my setup has the same WAN IPs as the OPNsense docs:

Virtual IP172.18.0.100/24

I've made a manual outbound NAT rule with the following settings:

Source Port*
Destination Port*
NAT Address172.18.0.100
NAT Port*
Static PortNO

However there are two major problems:

I tried everything I could think of to fix this, and eventually I found the following note in the pfSense CARP docs:

Never add outbound NAT rules that could match the WAN/Public IP addresses of the cluster. This includes both rules that have the public IP addresses listed explicitly and also rules that have any set as a source. These NAT rules will cause other problems/unintended behavior, and will break outbound connectivity from the secondary node when it is in a BACKUP state.

This exactly describes at least one of my problems. Assuming "the WAN/Public IP addresses of the cluster" would refer to, this seems to be at odds with the OPNsense CARP docs, which state the following:

Go to Firewall -> NAT and select outbound nat. Choose manual outbound nat on this page and change the rules originating from the network to use the CARP virtual interface (

So, if you aren't supposed to use the WAN virtual IP, which NAT address should be used to set up outbound NAT correctly?