Not able to manage HA backup firewall through wireguard VPN.

[JayST]

i'm running a 24.10.1 HA cluster with decisco HW applinces. I run them for quite some time and all works out OK with the CARP addresses on both LAN and WAN.
I'm using a Wireguard VPN to conntect to the cluster on the CARP WAN VIP address. This works fine and i can open up the Web GUI of the Master node and i can ping the internal CARP VIP of the management VLAN and the IP of the master node within that management VLAN.

However, i can't ping and/or use the webgui of the backup node and i can't figure out why. All is synced, config and interface configuration are the same.
If i failover from master to backup, wireguard reconnects perfectly to the backup unit and i can manage it on the Web GUI and ping it on it's management IPs.

i'm blind for ideas where to look for. Any hints/tips/questions to get me to manage the backup node through the WG tunnel as well?

[viragomann]

You have to NAT the traffic to the masters interface address with an outbound NAT rule, so that response packets come back.

To also catch the case if the primary is the backup to the following:
Say you want to access the backup using management VLAN IP, on the primary add both management IPs to an alias. I call it FW1_FW2.

Then add an outbound NAT rule to the management VLAN interface, use FW1_FW2 for the destination, translation = interface address (default), save.

This rule is synced to the secondary and will then also work, for accessing the primary if it is in backup state.