"Quote from: RussM on February 07, 2025, 08:57:50 PMYou, Kind Sir, are a lifesaver. I had configured outbound NAT in accordance with the Config CARP documentation, so had automatic rules disabled, and one manually-defined rule:
OUTSIDE/any/*/*/*/outside VIP
Your post made me realize what I needed to do. I added a new rule above that one so it is matched first:
OUTSIDE/This Firewall/*/*/*/OUTSIDE address
I then tested outbound comms from the secondary unit, confimed that ping, nslookup, and then firmware status & update checks all worked... so I then ssh'd into a couple of machines on the main network (upstream of the OPNsense pair, and verified that the source NAT address is in fact the OUTSIDE Virtual IP.
It seems like defining that rule should be specified as a requirement in the HA/CARP docs. Without that rule, the instructions in the Updating a CARP HA Cluster section in the Configuring CARP doc will not work... it was trying to follow that procedure that got me going down this rabbit hole.
I just wanted to say thank you for this. I got stuck with the same situation. After creating the same rule, I was able to get outbound traffic working on my secondary unit.
I agree with you 100% that the documentation needs to be updated. Even other guides that I've come across don't even mention the additional rule. I don't see how it would even be possible to update the secondary unit without the rule you described above (while in BACKUP).
Anyway, thank you so much!
