PfSense CARP Questions; Active/Passive, Bridge Mode/NAT

StylusPilot

Just trying to get an understanding of how this works better so I can choose the correct design

1 have 2 parts to my queries here;

(1)

With the use of CARP is it possible to to use more than 2 servers sharing the same VIP (lets say for this example 3 servers)

So as CARP requires a public IP address on each WAN interface assuming you had enough (say /29 for 6 pub IP's) this would be possible?

Does it work in a Active/Passive/Passive arrangement

ie

pfSense-1 Active
pfsense-2 Passive
pfSense-3 Passive

if pfSense-1 fails, pfSense-2 kicks in, and if both 1 and 2 fail, 3 kicks in

is there any way to Load Balance multiple servers in an Active/Active configuration with the use of CARP, even if 2 are Active and one Passive

(2)

Let's say I had 4 ADSL connections, all plugged into a single switch (I have attached the pic)

each one of these would require a /29 to provide enough additional IP Addresses for the pfSense boxes?

Each ADSL would need a seperate interface on each pfSense box? eg ADSL-1, ADSL-2, etc?

Do I then disable NAT on the ADSL, and for each interface on pfSense box assign a public IP, eg

ADSL-1 on pfSense-1 might be 203.X.X.11, ADSL-1 on pfSense-2 might be 203.X.X.12 and so on

ADSL-2 on pfSense-1 might be 199.X.X.11, ADSL-2 on pfSense-3 might be 199.X.X.12 and so on

OR

Is there a way to put a modem in Bridge mode, and share between multiple pfSense by setting PPPOE on each box?

OR

Using NAT, can the pfSense machines have local IP ranges eg 192.168.0.1,2, etc and the ADSL use the public IP

![pfSense CARP ADSL x4.jpg](/public/imported_attachments/1/pfSense CARP ADSL x4.jpg)
![pfSense CARP ADSL x4.jpg_thumb](/public/imported_attachments/1/pfSense CARP ADSL x4.jpg_thumb)

marcelloc

Don't you think that two pfsense could be enouth?

AFAIK, on sync options you can only configure on server for rules/states replication/synchronization.

cmb

You can do 3 like you describe but it's generally a waste, you're extremely unlikely to lose two pieces of hardware at the same time. I've worked on easily into hundreds of HA installs, have never seen one that uses 3 boxes, and never seen a failure of a primary where the secondary also failed.

StylusPilot

Thanks,

It was just a thought.

so can you do Active/Active ? how does pfSense scale for thousands of users, does one machine cut it?

marcelloc

It will always depend on your hardware.

cmb

no active/active. In general we scale as well as any firewall (all of which have their limits where you get into territory you can no longer filter, at millions of pps). Users is irrelevant, pps is all that matters with firewalls. Most multi-thousand user networks are fine.

StylusPilot

Cheers makes sense, solves my question 1.

In regards to my Question 2,

which way is the preferred option?