OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: incirrata on December 03, 2018, 06:31:48 pm

Title: Configuring CARP outbound NAT correctly?
Post by: incirrata on December 03, 2018, 06:31:48 pm
I set up CARP using the OPNsense docs, and it mostly works; the firewalls sync and failover correctly. For the sake of example, let's say my setup has the same WAN IPs as the OPNsense docs:

Primary172.18.0.101/24
Secondary172.18.0.102/24
Virtual IP172.18.0.100/24

I've made a manual outbound NAT rule with the following settings:

InterfaceWAN
Sourceany
Source Port*
Destination*
Destination Port*
NAT Address172.18.0.100
NAT Port*
Static PortNO

However there are two major problems:


I tried everything I could think of to fix this, and eventually I found the following note in the pfSense CARP docs:

Quote
Never add outbound NAT rules that could match the WAN/Public IP addresses of the cluster. This includes both rules that have the public IP addresses listed explicitly and also rules that have any set as a source. These NAT rules will cause other problems/unintended behavior, and will break outbound connectivity from the secondary node when it is in a BACKUP state.

This exactly describes at least one of my problems. Assuming "the WAN/Public IP addresses of the cluster" would refer to 172.18.0.100, this seems to be at odds with the OPNsense CARP docs, which state the following:

Quote
Go to Firewall -> NAT and select outbound nat. Choose manual outbound nat on this page and change the rules originating from the 192.168.1.0/24 network to use the CARP virtual interface (172.18.0.100).

So, if you aren't supposed to use the WAN virtual IP, which NAT address should be used to set up outbound NAT correctly?