Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Question about Carp with multiple external IPs

    HA/CARP/VIPs
    3
    4
    2.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TonyAR
      last edited by

      Hi everyone, a forum noobie here, but I have used pfSense for the past 6 years or so, but never with Carp.

      I have been tasked with setting up a failover scenario with two boxes using Carp, but I'm unsure how I assign external IP addresses for inbound services.

      I have attached a diagram, but essentially we want to do as follows:

      
x.x.x.41/29 ext virtual IP.
x.x.x.42/29 inbound HTTP
x.x.x.43/29 inbound SMTP #1 
x.x.x.44/29 inbound SMTP #2

      My question is:

      I know I need three external IPs - one for each firewall external interface, and one for the virtual IP.

      However, do I also need a second external IP for every inbound service, and assign a virtual IP for the inbound services, in the same way I would assign a virtual IP for the 'primary' interface?

      I have searched the forums to no avail - and perhaps I'm using the wrong search terms, or I am just completely misunderstanding the documentation.  :-[

      Any help would be appreciated.

      Many thanks in advance.

      Firewall-with-failover.JPG
      Firewall-with-failover.JPG_thumb

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        You just need one IP for each firewall exclusively. This one you can't be used for the services.
        However, if you have further subnets you need also further IPs for the interfaces. But due to your map I guess you have just a single WAN subnet.

        You have to a assign the IPs to the firewall interfaces, then you can add a CARP IP. The CARP IP may be used for services, cause it's available on both fw.
        The additional IPs are to be assigned as "IP Alias" which hooked on the CARP IP as interface. You could also add additional CARP IPs, however, that's not required.
        Remember that the additional IPs must be added after its CARP. I.e. it's not working if you edit an IP Alias made earlier single firewall mode. A trap I dropped into.

        1 Reply Last reply Reply Quote 0
        • dotdashD
          dotdash
          last edited by

          @TonyAR:

          I know I need three external IPs - one for each firewall external interface, and one for the virtual IP.

          However, do I also need a second external IP for every inbound service, and assign a virtual IP for the inbound services, in the same way I would assign a virtual IP for the 'primary' interface?

          You need one (non-shared) for each firewall and one or more shared CARP VIPs.
          Generally, with a /29, the provider takes one, so you only have five to assign. Using your example of x.x.x.40/29 you would have something like:
          x.x.x.41=provider equipment(default gw for pfSense)
          x.x.x.42=Primary Firewall
          x.x.x.43=Secondary Firewall
          x.x.x.44=CARP VIP http
          x.x.x.45=CARP VIP smtp1
          x.x.x.46=CARP VIP smtp2

          You could use port forwards and share one VIP for http and smtp.

          1 Reply Last reply Reply Quote 0
          • T
            TonyAR
            last edited by

            Thanks for the replies.

            I have installed both firewalls now, and as I went through the configuration process, it all became clear.

            Thanks again. :)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.