Outbound NAT in HA over CARP IP not working

Started by tomclewes, November 14, 2020, 12:09:29 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 14, 2020, 12:09:29 AM Last Edit: November 14, 2020, 12:15:11 AM by tomclewes
Hi

I have two firewalls setup in a HA, mostly setup now including CARP for each interface including WAN.

I am able to reach the CARP IP externally and have tested a failoverr test using CARP whilst running a ping check and all works as expected.

As per the documentation on HA it says to adjust outbound NAT as per

Setup outbound NAT

When traffic is going out of the firewall it should also use the virtual IP address to make a seamless migration possible. The default for OPNsense is to use the interfaces IP address, which is in our case the wrong one.

Go to Firewall ‣ NAT ‣ Outbound. Choose manual outbound nat on this page and change the rules originating from the 192.168.1.0/24 network to use the CARP virtual interface (172.18.0.100).

However when setting up the above the devices on that given network lose internet access. Screenshot attached from my test environment.

My test environment uses internal IPs but I am having the same issue with a customers environment which uses Public IPs

Setup of customer side is as follows

Primary firewall
LAN IP: 10.0.0.253
LAN VIP: 10.0.0.254
WAN IP: XXX.XX.XX.169
VIP (CARP) IP: XXX.XX.XX.168
Gateway IP: XXX.XX.XX.161

Secondary firewall
LAN IP: 10.0.0.252
LAN VIP: 10.0.0.254
WAN IP: XXX.XX.XX.170
VIP (CARP) IP: XXX.XX.XX.168
Gateway IP: XXX.XX.XX.161

Any help is muchly appreciated
November 14, 2020, 07:03:23 AM #1
Usually this works perfect. Maybe split brain and both are master?
November 14, 2020, 09:53:28 AM #2
Quote from: mimugmail on November 14, 2020, 07:03:23 AM
Usually this works perfect. Maybe split brain and both are master?



Have checked and master / backup status shows as expected  on both.

Had also tested failover and that worked aa expected l
November 14, 2020, 01:28:39 PM #3
Then you have to check with packet capture whats going wrong
November 14, 2020, 06:15:59 PM #4 Last Edit: November 14, 2020, 06:19:29 PM by tomclewes
Quote from: mimugmail on November 14, 2020, 01:28:39 PM
Then you have to check with packet capture whats going wrong

Hi mimugmail

Thank you for your assistance - Having done a packet capture I could see [No response seen]. Which got me thinking.

There is one piece of information which I failed to mention which I should have mentioned.

My firewalls are virtualised on a VMware host (ESXI). Having toggled Promiscuous mode on the port group on the ESXI host it started working as expected and routing via the VIP.

I didn't think this would be required as it was working inbound but not outbound.

I can't see this mentioned in the documentation and feel it would be worth adding to the common issues section of 'Virtual & Cloud based Installation' so will make a suggestion to the team.
November 14, 2020, 06:37:08 PM #5
I think most guides where it comes to HA and virtual are talking about promisc Mode. Sure there is no doc bit?
Print
Go Up Pages1
User actions