VRRP + DST-NAT

n3kochan · June 3, 2024, 9:04pm

Hello everyone! I’m trying to create HA firewall, which will dst-nat traffic from outside to local network, but I can’t understand how to do this. If i enable sync-connection-track=yes all dnat’ed connections are synced to backup router, but without dstnat flag and them are not src-natted(and dst-natted) by backup router [they are routed as-is from LAN to WAN without any address translation], but SRC-NAT works fine, if I trying to connect from LAN to WAN and shutting down master router connection does not dropping. Can anyone help with that?

(https://imgur.com/a/O3EiSn4)

rplant · June 4, 2024, 4:14am

Not sure, but

They should be using src-nat rather than masquerade
dst-nat rules are same on both routers

n3kochan · June 4, 2024, 2:30pm

DST-NAT rules are same on both routers and I’m using SRC-NAT to hide LAN behind WAN IP

Amm0 · June 4, 2024, 3:16pm

Connection tracking is confusing. So I’m not sure, especially how NAT is handled.

But my first thought would be to disable fast-track rule (if enabled) to see if that changes this “d” vs “s”.

n3kochan · June 4, 2024, 4:12pm

Fast-track is disabled everywhere it can be disabled, any configuration I’ve tried syncs SRC-NAT but not DST-NAT