How to force CARP address as source?

[Patrick M. Hausen]

Hi all,

I just set up my first two node cluster and generally it went really smooth and painless. One remaining problem. For outgoing connections the active firewall does not use its CARP address but the dedicated address of its interface. This is not a problem with e.g. email or inbound connections to web servers in the DMZ, but it breaks DNS.

172.21.32.254 is the CARP address, 172.21.32.252 is the interface address. Exchange of packets from a client system:

Code Select Expand


09:20:49.703140 IP 172.21.32.203.61627 > 172.21.32.254.domain: 4+ A? bild.de. (25)
09:20:49.703219 IP 172.21.32.252.domain > 172.21.32.203.61627: 4 2/0/0 A 145.243.240.20, A 145.243.248.20 (57)

So the answer is sent from the wrong address, which the client of course rejects.

I tried to force the address with an outbound NAT rule on LAN internal interface. But that seems not to work - see screenshot. What did I do wrong?

Kind regards,
Patrick

[mimugmail]

what happens when your carp IP is lower than the pyhsical one?
Never saw this but usually my VIP is .1 and pyhsical like 251 and 252.

[Patrick M. Hausen]

Can't do that - the addresses are cast in concrete.

When I do an inbound NAT port forwarding directly to BIND, things seem to work. Probably AdGuard is the culprit here, not keeping track of the receiving interface for a request. Even if I port forward to AdGuard on 127.0.0.1:53 it will answer from .252 on the LAN. BIND as in the screen shot works.

[mimugmail]

Uh, so better to also report to adguard via github, I'd also like to track it there.

[Patrick M. Hausen]

https://github.com/AdguardTeam/AdGuardHome/issues/3015

We deinstalled AdGuard Home for the time being. This is a commercial production environment and AdGuard was a "nice to have, let's try it" feature, anyway. Now I use port forwarding NAT to throw all requests at BIND which is listening on 127.0.0.1:53. Works well with all CARP addresses.