Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
High availability
»
OPNSense updates with Outbound NAT in high availability / CARP configuration
« previous
next »
Print
Pages: [
1
]
Author
Topic: OPNSense updates with Outbound NAT in high availability / CARP configuration (Read 2073 times)
kgleason
Newbie
Posts: 2
Karma: 0
OPNSense updates with Outbound NAT in high availability / CARP configuration
«
on:
April 14, 2023, 09:01:51 pm »
Hello,
I have 2 identical firewall units with a business license. I'm trying to get them ready to go to production, but I've hit a snag, and I don't understand how to fix it.
Each unit has a unique IP address on 2 WANs. In addition, each WAN connection has a CARP VIP. I have manual NAT rules generation enabled and I have an OB NAT rule set up for each WAN interface to NAT the traffic to the CARP VIP. When I send traffic out, it works like a charm -- the source IP is the VIP.
The challenge that I'm facing is that the secondary unit is not able to get updates from Decisio. The traffic is exiting the secondary unit from the NAT IP, and the return traffic is rejected by the primary unit because it is a state violation. It all makes perfect sense.
I set up an FW alias that has the Decisio update server's hostname and IP in it, and I've created an additional OB NAT rule that says Do Not NAT traffic to that destination. I've tried putting this specific OB NAT above (in the UI) the catch-all NAT rules. I've tried putting it below. No matter what I do, it doesn't seem to work. Everything seems to show up in the logs with a "let out anything from firewall host itself" label. That's a floating FW rule that seemingly can't be disabled. It's also flagged as "last match", so I would think that other rules, including a specific allow out rule I created on the interface, would be used first, since they are set as "first match."
I have disabled forced gateway mode. And I have tried disabling service binding on the VIP.
I've attached a screenshot of my OB NAT configuration.
Any advice anyone may have is very appreciated. Also, if anyone can confirm that the OB NAT rules are processed as first match, that would be awesome.
Thanks in advance.
Edit:
I do realize that I could work around this problem by putting the primary unit into persistent CARP maintenance mode.. But that is only a short term fix. Ideally I'd be able to have the secondary device automatically download updates, and then have the primary unit do so a couple of hours later. But since the secondary can't get updates, I'm stuck.
«
Last Edit: April 14, 2023, 09:14:04 pm by kgleason
»
Logged
kgleason
Newbie
Posts: 2
Karma: 0
Re: OPNSense updates with Outbound NAT in high availability / CARP configuration
«
Reply #1 on:
April 14, 2023, 09:54:21 pm »
A coworker gave me a janky but functional solution -- a static route to send this traffic back to an internal router, which allows it to route out normally.
Not the best solution, but it seems to be doing the trick.
Logged
Patrick M. Hausen
Hero Member
Posts: 6825
Karma: 573
Re: OPNSense updates with Outbound NAT in high availability / CARP configuration
«
Reply #2 on:
April 14, 2023, 10:39:10 pm »
Don't NAT traffic from the firewall itself. If you have the luxury of routable external addresses for each unit, just use them.
Change your outbound NAT rules to read "from internal networks (group or whatever fits) to any NAT to CARP VIP".
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
High availability
»
OPNSense updates with Outbound NAT in high availability / CARP configuration