Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP with /31 and /29 WAN Address Blocks

    Scheduled Pinned Locked Moved
    HA/CARP/VIPs
    4
    14
    2.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SteveITS Rebel Alliance @Mitchell 0
      last edited by

      The CARP VIP for WAN needs to work on both connections so I'm not sure how that would work. The ISP would need to be routing traffic to one of the two WAN IPs (one of the two connections) which sounds more like SD-WAN to me.

      Our data center for example has a /29 used across both routers using two addresses and the CARP VIP going to a switch, and there is of course just one WAN cable reaching into the data center. The HA benefits there are 1) if router1 fails no one notices, and 2) we can upgrade and reboot at our leisure, even during the day. We have a /25 in use on the LAN side, and it is being routed to the CARP VIP that is in the /29.

      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
      Upvote šŸ‘ helpful posts!

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate @Mitchell 0
        last edited by

        @mitchell-0 Tell your ISP you need three /29s. One for each WAN and one routed so you can run High Availability routers.

        They should understand (though they might charge a little more.)

        /31s are great when they are sufficient. In your case they are not.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        M 1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate @Mitchell 0
          last edited by

          @mitchell-0 said in CARP with /31 and /29 WAN Address Blocks:

          Is there likely to be any problems associated with using addresses within the /29 blocks against the secondary WAN interfaces and for CARP VIPs?

          Yes. The /29s will be routed to the /31 addresses on the other node.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • M
            Mitchell 0 @Derelict
            last edited by

            @derelict Thanks, I'll look at contacting them today and explain the situation. We also have another site with the same configuration (Same ISP) so I suppose it will ultimately depend if they are willing to hand out that many addresses between 4 connections in total.

            I know from previously we did have to fill out the required RIPE forms just to get the additional /29 blocks at the side of the /31 and going for anything larger had to be justified. I suppose it is understandable given the state of IPv4 addresses.

            I wasn't sure if we could use a workaround in the event they cannot offer up the additional address blocks, although I suspect this would likely require a router or Layer 3 switch to sit behind both firewalls and using NAT with private addressing on the WAN interfaces. Not something I'm a fan of doing as it just adds a whole other area of complexity.

            DerelictD 1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate @Mitchell 0
              last edited by

              @mitchell-0 High Availability on the interfaces should be enough justification for /29s on the interfaces.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              M 1 Reply Last reply Reply Quote 0
              • M
                Mitchell 0 @Derelict
                last edited by

                @derelict I have sent our requirements to our ISP and they seem happy to have a look at this for us.

                Many thanks.

                M 1 Reply Last reply Reply Quote 0
                • M
                  misterto @Mitchell 0
                  last edited by

                  @mitchell-0 said in CARP with /31 and /29 WAN Address Blocks:

                  t our requirements to our ISP and they seem happy to have a look at this for us.
                  Many thanks.

                  I guess you have Top Of Rack switches ? Right ?
                  Does you ISP use BGP ? If yes, i guess the /31 are 198. something. In that case, it's used for ISP BGP AS connection. Then, you could do a VRRP or HSRP with your /29 and add this /29 in the addressed network to your ISP.

                  The idea is that pfsenses @ the end doesn't know your /31. /31 are just used for BGP sessions.

                  You TOR need to be L3 tor of course.

                  I could give you more info if you need.

                  M 1 Reply Last reply Reply Quote 0
                  • M
                    Mitchell 0 @misterto
                    last edited by

                    @misterto We do have two Layer 3 Top of Rack switches that act as our collapsed core. These are Dell S4128F models configured with VLT and peer-routing for our internal VLANs. We aren't using any dynamic routing protocols at the moment just static routes present on pfSense for the VLAN subnets on the switches.

                    The /31s are 185. addresses.

                    I have been caught up with other projects recently so just waiting to hear back from our ISP. We have requested the /31 subnets on each WAN connection be changed to /29s and we will keep the existing routed /29 blocks that they have supplied us.

                    Many thanks.

                    1 Reply Last reply Reply Quote 0
                    • M
                      Mitchell 0
                      last edited by

                      Hi all,

                      Bumping this thread as we have finally gotten the IP subnet requirements from our ISP and just wanted to double check before we go ahead with the firewall configurations. Apologies as this had taken longer than we initially expected due to a lot of back and forth.

                      Our ISP has converted our existing WANs from /31s to /29s and have also retained our existing routed /29 subnets that were already in place, effectively giving us two /29s per physical WAN.

                      As the WAN subnets are in a different IP range from the additional routed /29 subnets what is the best way to add the additional address from the routed subnets to allow these to sync between firewalls without causing an IP conflict?

                      Iā€™ve read about adding these as additional IP Aliases with the interface being the CARP VIP, however I was under the impression that this would only work if the addresses were in the same subnet as the CARP VIP?

                      Each WAN subnets addressing will cover each firewalls WAN1 and WAN2 interfaces plus shared CARP VIPs for outbound NAT while the addresses from additional routed /29 subnets will be used for external services (Web Servers, VDI access etc)

                      Many thanks.

                      M 1 Reply Last reply Reply Quote 0
                      • M
                        misterto @Mitchell 0
                        last edited by

                        @mitchell-0 said in CARP with /31 and /29 WAN Address Blocks:

                        Each WAN subnets addressin

                        Hi.

                        Do you have schema ?

                        M 1 Reply Last reply Reply Quote 0
                        • M
                          Mitchell 0 @misterto
                          last edited by Mitchell 0

                          @misterto

                          WAN 1:

                          WAN Subnet: 161.12.60.232/29
                          ISP Gateway: 161.12.60.233
                          Routed Subnet: 161.12.51.32/29
                          Shared CARP VIP: 161.12.60.236

                          WAN 2:

                          WAN Subnet: 161.12.60.240/29
                          ISP Gateway: 161.12.60.241
                          Routed Subnet: 161.12.51.40/29
                          Shared CARP VIP: 161.12.60.244

                          Firewall 1:

                          WAN 1 Interface: 161.12.60.234
                          WAN 2 Interface: 161.12.60.242

                          Firewall 2:

                          WAN 1 Interface: 161.12.60.235
                          WAN 2 Interface: 161.12.60.243

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.