I have pfSense setup in HA, with CARP and all is working well, except my existing port forwards.
I assume I’m missing something here now that it’s setup in HA. All my internal networking is operating fine, but I cannot reach any of my existing services externally.
For instance, I have some game servers using port 27015, but is acting as if that port is still closed.
I tried changing the interface from WAN to my CARP IP, but that didn’t help. I keep reading that I need to set it to my “VIP”, but I do not understand what this is.
These are all very simple port forwards, below is the one example I mentioned above. Running pfSense 2.7.2 currently.
One quick detail, I do not have my WAN setup in a CARP, only the firewalls themselves. My ISP/Modem allows me to have multiple firewalls/IPs. So each firewall has it’s own IP/WAN connection. I don’t mind the downtime of switching between.
If you have an HA setup then you must have a VIP setup as well for your WAN addresses. To find out what it is you can find it under firewall>Virtual IPs. Find the one with the interface is WAN. Once you figure out what the VIP is then set that under your “Destination” in your port forward rule.
Thanks, I’m missing something then.
Not sure how I’d configure my WAN into a “VIP”. The pfSense book only details setting up LAN.
Do you have a block of public IP’s from your ISP? You need at lease /29
Not a static block, no.
I did see I missed the section about also needing to configure WAN into a CARP as well. None of the other tutorials I found mentioned this at all either.
This is a residential setup on Comcast/Xfinity’s new fiber symmetrical speeds network, using an EPON to their regular Xfinity coax modem connected via 2.5g ethernet.
I was told I have 10 DHCP IPs, though it seems to be assigned by hardware MAC. Since I’ve started my service 6 months ago, my IP has never changed, even after equipment restarts. Only when the MAC address changes, does my external IP change.
Right now I have 3 external IPs assigned to my 2 firewalls. Primary firewall I have setup with dual WANs for some load balancing, but I can remove this if necessary. Anyway, all 3 IPs have the same first 2 octets, but the third octet is different on one of them. MAC spoofing also works, so I can move those IPs where ever I need.
So in theory, I could probably assign static IPs and it won’t be a problem (until it is xD).
This ended up being a completely unrelated issue caused by DNS/my domain name host… It’s always DNS…
Hey there! When using pfSense in HA mode, Port Forward rules should use the CARP virtual IP (VIP) rather than the individual WAN interface IP—this ensures the rules stay active regardless of which node is currently master.
Here’s what I’d check:
-
Confirm your CARP VIP is correctly added under Firewall > Virtual IPs, and set the Port Forward to target that VIP.
-
Make sure the port forward rule has the VIP selected as the “destination”, not the static WAN IP.
-
Use Diagnostics > States to verify connections aren’t being blocked or missed.
-
Also, check the firewall rules tied to that interface to ensure the traffic is allowed.
Hope that helps—HA setup can be a bit tricky with VIPs, but once configured right, your game servers should begin working as expected. Let us know how it goes!
Thanks for the reply.
HA is working fine, and my port forwarding rules are also working fine.
But it just so happened that at the same time I was configuring this HA, my DNS broke for my custom domain. I was not using SSL previously and was somehow still able to use my site via HTTPS. No idea how, but it was working.
I even tested this by restoring my pfSense from a backup, where the issue still occurred. So it was nothing involving the HA configuration.
Working on setting up an nginx proxy/letsencrypt to do this properly. I think after this, it’ll be fine.
