Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
CARP implementation in weird setup
« previous
next »
Print
Pages: [
1
]
Author
Topic: CARP implementation in weird setup (Read 570 times)
mmaridev
Newbie
Posts: 10
Karma: 0
CARP implementation in weird setup
«
on:
March 31, 2023, 02:31:55 pm »
Hi,
I'm trying to setup OPNsense to route public IPs to a specific interface but still keeping them subject to the firewall rules.
What's working
Setting up a static ARP on the wan switch or manually telling the upstream to route through the OPNsense WAN IP. In this situation the WAN IP address of OPNsense is a CGNAT address /32 and he correctly receives packages for the public IPs. I then
Code:
[Select]
route add -host PUB.LI.C.IP -interface vtent2
and set a rule to allow ICMP on WAN with destination PUB.LI.C.IP. From the outside I am then able to correctly ping the machine behind OPNsense. In this context, on vtent2 OPNsense also has a CGNAT IP /32 and the VM has PUB.LI.C.IP/32 as IP and the OPNsense as far gateway.
The setup works just fine and accomplishes the goal of terminating the public IP on the VM without natting.
What's NOT working
The same setup but using CARP. I was trying to understand if it's possible to make this setup HA so I started configuring a master node. I see, once I create a CARP IP from the Web GUI, a route for the public IP on lo0 gets created. I then have to drop this route in order to re-create it on vtent2. This - apparently - somehow breaks the routing. At this point OPNsense can ping the VM on the LAN CGNAT IP and vice-versa but pinging an external address from the VM results in no answer. From tcpdump I see ICMP replies hit the WAN interface but are never routed on vtnet2.
I might be wrong but I feel like it's just a small configuration issue, just can't figure out what's messed up.
Any help would be appreciated.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
CARP implementation in weird setup