CARP, two WANs, only one public IP in each WAN

mcury

Without a /29 in both WANs, I wonder what would happen with NTP, DNS, pfblocker updates, dpinger, firmware updates, package updates and etc with the Slave firewall.
Connections would leave slave firewall using the VIP and then, the return traffic would hit the master causing asymmetric routing.

Perhaps a workaround for this issue would be by using NAT, something like:
outbound NAT, mode manual:
127.0.0.0/8 don't use CARP, use interface address.

This would make connections from the firewall itself to use their own IP address instead of the VIP.

What do you think, it should work, right ?

viragomann

@mcury
Only the ISP routers have a single WAN, but both pfSense boxes can have a unique WAN IP and additionally share the CARP VIP behind them.

@mcury said in CARP, two WANs, only one public IP in each WAN:

Perhaps a workaround for this issue would be by using NAT, something like:
outbound NAT, mode manual:
127.0.0.0/8 don't use CARP, use interface address.

This is the normal configuration in a CARP setup. There is nothing different to your situation.

The secondary can make upstream connections using its interface IP in the private subnet through the ISP router and will get responses back properly.

mcury

@viragomann said in CARP, two WANs, only one public IP in each WAN:

This is the normal configuration in a CARP setup. There is nothing different to your situation.

oh, nice.

@viragomann said in CARP, two WANs, only one public IP in each WAN:

The secondary can make upstream connections using its interface IP in the private subnet through the ISP router and will get responses back properly.

So, no need for the NAT I was thinking about, nice.

Based on what you said, this setup would work perfectly, right ?
Any other insights that I should be aware about ? Very helpful so far

viragomann

@mcury said in CARP, two WANs, only one public IP in each WAN:

So, no need for the NAT I was thinking about, nice.

The workaround if you only have one public WAN IP for two nodes is to route the secondary's upstream traffic over the masters LAN interface. But this is not necessary in your example, since they are connected to a private subnet with enough addresses behind router.

Based on what you said, this setup would work perfectly, right ?

I think, it should work.

mcury

@viragomann said in CARP, two WANs, only one public IP in each WAN:

I think, it should work.

Great, I'll set that up in the following days Thanks

SteveITS

@mcury we’ve set up a client like this but with one WAN. Comcast business provides NAT even on a “bridged” connection.

Presumably both the public IPs would be shared/CARP.

viragomann

@mcury
One piint to add. The gateway monitoring IPs should be public, since the gateway IP is local and says nothing about the internet connection.
But I think, you"re aware of this.

stephenw10

Yup there are (unsupported) workarounds for using only one public IP address. But you wouldn't need to use them here because you are not using public IPs on the pfSense WANs at all.

mcury

thanks everyone for the replies, this will be my first HA setup with pfsense =)