Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP alternative

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    24 Posts 7 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ
      jimp Rebel Alliance Developer Netgate @ErsanY
      last edited by

      @ErsanY said in CARP alternative:

      Hi. Is there any update on this matter please? Meaning, CARP support or alternative for pfsense usage on Public Clouds (AWS, GCP, Azure etc) ?

      https://docs.netgate.com/pfsense/en/latest/solutions/aws-vpn-appliance/ha.html

      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      M 1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @jimp
        last edited by

        @jimp What about on prem? Is CARP alternative still being investigated?

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          The only possible alternative would be VRRP which has the same limitations as CARP, which is already covered higher in the thread.

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          M 1 Reply Last reply Reply Quote 0
          • S
            snunez
            last edited by

            I've been using pfSense in HA using UCARP in Oracle Cloud.
            Oracle Cloud has L2 VLAN that allows broadcast (but not multicast) messages. Therefore, CARP doesn't work, but UCARP works well because it can be configured to use broadcast messages instead of multicast.
            It would be great if pfSense incorporated UCARP as an alternative for HA so that it could be used in cloud installations.
            Do you think this is possible?

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              pfSense Plus has unicast CARP already.

              https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-addresses.html#vip-configuration-options

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • M
                michmoor LAYER 8 Rebel Alliance @jimp
                last edited by

                @jimp said in CARP alternative:

                The only possible alternative would be VRRP which has the same limitations as CARP, which is already covered higher in the thread.

                Well not having a mandatory /29 would be helpful which would be the main and important differentiator hence vrrp is desired

                Firewall: NetGate,Palo Alto-VM,Juniper SRX
                Routing: Juniper, Arista, Cisco
                Switching: Juniper, Arista, Cisco
                Wireless: Unifi, Aruba IAP
                JNCIP,CCNP Enterprise

                S 1 Reply Last reply Reply Quote 0
                • S
                  SteveITS Galactic Empire @michmoor
                  last edited by

                  @michmoor I realize Iโ€™m coming in at the end of a 9 year old thread, but technically a /29 isnโ€™t required for WAN. It can be done with private IPs in the right situation, e.g. Comcast business Internet provides both NAT (10.1.10.x) and passthrough/static routing at the same time. Or the docs mention leaving router2 not able to connect out without failover, using one IP, though thatโ€™s not ideal.

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote ๐Ÿ‘ helpful posts!

                  M 1 Reply Last reply Reply Quote 0
                  • M
                    michmoor LAYER 8 Rebel Alliance @SteveITS
                    last edited by

                    @SteveITS said in CARP alternative:

                    technically a /29 isnโ€™t required for WAN.

                    For High Availability, i believe it is. CARP isn't ideal.

                    Firewall: NetGate,Palo Alto-VM,Juniper SRX
                    Routing: Juniper, Arista, Cisco
                    Switching: Juniper, Arista, Cisco
                    Wireless: Unifi, Aruba IAP
                    JNCIP,CCNP Enterprise

                    S 1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      You can use a single address for CARP on any interface, but it's primarily practical on LANs. If you do that on all of the WANs, the secondary will have no upstream connectivity so it can't operate effectively. If the upstream router allows public and private addresses some of those limitations might be alleviated but it's something you'd have to try on a case-by-case basis.

                      It's covered in the docs:

                      https://docs.netgate.com/pfsense/en/latest/highavailability/index.html#ip-address-requirements-for-carp (second paragraph in that section)

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • S
                        SteveITS Galactic Empire @michmoor
                        last edited by

                        @michmoor We have a client using private IPs as I described. Both routers can update. They actually had a small block but at the time needed multiple IPs for various services so they were all shared. (Now just one)

                        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                        Upvote ๐Ÿ‘ helpful posts!

                        M 1 Reply Last reply Reply Quote 0
                        • M
                          michmoor LAYER 8 Rebel Alliance @SteveITS
                          last edited by

                          @SteveITS Yeah you can use a RFC1918 layer but its just not as clean as putting routable addresses on the WAN. Double-NAT ๐Ÿ˜ข

                          The concern i have with this type of design is port forwarding and/or hosting services. Not ideal but can work.

                          @jimp if the secondary firewall needs to install patches/packages, is that when you just flip it to Master (One WAN IP being shared).

                          Firewall: NetGate,Palo Alto-VM,Juniper SRX
                          Routing: Juniper, Arista, Cisco
                          Switching: Juniper, Arista, Cisco
                          Wireless: Unifi, Aruba IAP
                          JNCIP,CCNP Enterprise

                          S jimpJ 2 Replies Last reply Reply Quote 0
                          • S
                            SteveITS Galactic Empire @michmoor
                            last edited by SteveITS

                            @michmoor maybe but since the shared โ€œCARPโ€ public IP is used on WAN thereโ€™s no practical difference in my mind.

                            Edit: yes if using only one IP itโ€™d have to be master to update pfSense. Or pfB lists etc.

                            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                            Upvote ๐Ÿ‘ helpful posts!

                            1 Reply Last reply Reply Quote 1
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate @michmoor
                              last edited by

                              @michmoor said in CARP alternative:

                              if the secondary firewall needs to install patches/packages, is that when you just flip it to Master (One WAN IP being shared).

                              It needs to have packages and updates at all times, not just when it's master. Otherwise you'd have to fail over to it to do any sort of maintenance, which defeats the idea of HA to reduce disruptions.

                              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.