Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Do you need multiple public IP's for basic failover functionality?

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    14 Posts 3 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SteveITS Galactic Empire @Magoogle
      last edited by

      @Magoogle Then you might be stuck. Unless you can try to emulate the NAT Comcast uses...something like:

      router-outside:

      • WAN = public IP subnet 1
      • LAN = public IP subnet 2
      • LAN alias = 10.0.0.1/24

      router1-client:

      • WAN = 10.0.0.2
      • WAN CARP alias = from public IP subnet 2
      • LAN CARP alias = 192.168.1.1
      • LAN = 192.168.1.2

      router2-client:

      • WAN = 10.0.0.3
      • WAN CARP alias = from public IP subnet 2
      • LAN CARP alias = 192.168.1.1
      • LAN = 192.168.1.3

      ...just thinking out loud.

      As noted in the doc page it can technically be done with router2 not having a working WAN but then to install anything on router2, or update router2, one has to fail over so router2 is live and then work on it.

      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
      Upvote ๐Ÿ‘ helpful posts!

      M 1 Reply Last reply Reply Quote 0
      • M
        Magoogle @SteveITS
        last edited by

        @SteveITS

        So I made it work, at least on my bench.

        I used 10.0.0.1 for Primary WAN Interface, and 10.0.0.2 for Seconday WAN Interface with /30 subnet (This network goes no where)

        I created a "Public" CARP WAN IP for the actual WAN, in this test its 10.1.25.250 (because its behind another firewall on the bench)

        Setup my Sync interfaces, configured outbound nat to Hybrid and set it to use the CARP address as the NAT address.

        Running ping tests to the internet from an interface behind these 2 virtual firewalls, I only see 1 packet drop when I emulate a firewall failure, by "turning off the power" to the Hyper-v VM

        And powering it back up, it updates and takes over as Primary again without any issues. So It looks like this will do what I want without wasting public IP's. The only problem with this, is that the secondary firewall has no internet access of its own until it takes over as the Primary.

        I guess I could create another virtual interface to act as a secondary WAN to allow it to talk to the internet outside of the "public" facing network.

        S V 2 Replies Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire @Magoogle
          last edited by

          @Magoogle said in Do you need multiple public IP's for basic failover functionality?:

          create another virtual interface to act as a secondary WAN to allow it to talk to the internet outside of the "public" facing network

          If you use a /29 instead of a /30, 10.0.0.3 goes on the router upstream from these two and hence is the gateway for 10.0.0.1 and 10.0.0.2. That gives those two Internet access over the NAT, or the shared/CARP IP.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote ๐Ÿ‘ helpful posts!

          M 1 Reply Last reply Reply Quote 0
          • M
            Magoogle @SteveITS
            last edited by

            @SteveITS The router upstream doesnt exist in the datacenter. Just a fiber handoff with 2 blocks of IP's

            1 Reply Last reply Reply Quote 0
            • V
              viragomann @Magoogle
              last edited by

              @Magoogle said in Do you need multiple public IP's for basic failover functionality?:

              The only problem with this, is that the secondary firewall has no internet access of its own until it takes over as the Primary.

              By creating a failover group with the WAN gateway and the LAN of the primary, the secondary can go out to the internet through the primary node if it's in backup state.

              You would have to configure the HA settings on the primary that this gets not overwritten.

              M 1 Reply Last reply Reply Quote 0
              • M
                Magoogle @viragomann
                last edited by

                @viragomann Where on the primary HA would that configuration be changed? I dont see in the offered selections to exclude that type of change?

                V 1 Reply Last reply Reply Quote 0
                • V
                  viragomann @Magoogle
                  last edited by

                  @Magoogle
                  You have to disable syncing of "Static Route configuration" in System > High Availability Sync.
                  This of course means then, that you have configure all static route and gateway groups on the secondary as well.

                  M 1 Reply Last reply Reply Quote 0
                  • M
                    Magoogle @viragomann
                    last edited by

                    @viragomann I created a gateway group and a secondary gateway on the secondary firewall. I tried with WAN and the LAN as the interface and the IP's of the primary as the gateway. while the gateway shows online, the secondary is unable to ping out to the world.

                    V 1 Reply Last reply Reply Quote 0
                    • V
                      viragomann @Magoogle
                      last edited by

                      @Magoogle
                      On the secondary you need to add the primary's LAN address as a gateway in System > Routing > Gateways. I'll call it PrimLan

                      Then go to the gateway groups tab and add you new failover group:
                      WAN gateway > Tier1
                      PrimLan > Tier2

                      Got back to the gateway tab and state this group as default gateway.

                      Ensure that the monitoring is enabled on both gateways and that the WAN gateway state is offline, when the primary is the master.

                      M 1 Reply Last reply Reply Quote 0
                      • M
                        Magoogle @viragomann
                        last edited by

                        @viragomann Thats how I set it up. But when using the console for pfsense, it cant ping out even though the Tier2 gateway shows as online.

                        V 1 Reply Last reply Reply Quote 0
                        • V
                          viragomann @Magoogle
                          last edited by

                          @Magoogle
                          Check Status > Gateways.
                          Is the tier2 the default now?

                          1 Reply Last reply Reply Quote 0
                          • V viragomann referenced this topic on
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.