Bug #16457
closed
OpenVPN server does not serve on CARP interface when set in /30 single public IP configuration
0%
Description
Multi WAN , 2 node pfSense configuration. WAN1 is provided as private NATted subnet. WAN2 is provided as public IP address (/30 mask),
Because of only single public IP available, CARP members have private IPs with no gateway specified. Their VirtualIP is configured with that public IP.
Everything works smoothly for outbound traffic.
Inbound traffic however is the problem. Firewall rule for allowing OpenVPN traffic passes to CARP VIP, but returning back to client through other WAN interface and thus other provider.
Action Time Interface Source Destination Protocol
2025-10-01 20:38:04.995326+02:00 WAN 192.168.5.4:29189 89.x.166.179:57856 TCP:SA
2025-10-01 20:38:04.995269+02:00 WANBACKUP 89.x.166.179:57856 82.x.197.22:1194 TCP:S
[2.8.1-RELEASE]/root: pfctl vvss | grep 89.x.166.179 89.x.166.179:50502 CLOSED:SYN_SENT
hn5 tcp 82.x.197.22:1194 <
Is this limitation in the platform or just a bug?
Thanks
Updated by Jim Pingle 2 days ago
- Status changed from New to Not a Bug
Almost certainly a configuration issue, not a bug. Post on the forum for assistance.
Updated by Siniša Radas 1 day ago
I solve it with "illegally" broaden network mask, from /30 to /28 and thus made both WAN2 interfaces in the same (public) subnet, so they use CARP VirtualIP in the same subnet - usual configuration. Nothing else worked. Seems that /30 CARP VirtualIP does not know how to forward traffic to private IP members, when used for VPN server for example.
Don't know yet what could be implications of this.