• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Does a CARP setup requires WAN IPs to be on the same subnet as WAN VIP?

Scheduled Pinned Locked Moved HA/CARP/VIPs
12 Posts 5 Posters 4.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    CDuv
    last edited by Dec 9, 2015, 11:53 AM

    Hello,

    I'm thinking about installing a second pfSense box and use CARP to have an hardware redundancy for my (multi-WAN) Internet access.

    One of my Internet connection directly provides the public IP I use on the Internet : 1.2.3.102/30 (that's the IP configured on the WAN interface) and they say I have to use the gateway at 1.2.3.101/30.

    Being a "/30" network (namely: 1.2.3.100/30) there are only 2 practical IP addresses, which are all already used: one by their gateway (1.2.3.101) and the other by my actual (no CARP configured) pfSense box (1.2.3.102).

    Looking at CARP documentation it seems CARP setups requires pfSense each boxes to have an IP on the WAN side (id. 127.29.29.1 and 127.29.29.2 on the documentation).
    I understand they are required for each box to be able to access Internet on their own (should they, in "CARP" context, be active or not) but do they have to be on the same network as the virtual IP of the WAN side (id. 1.2.3.102)?

    Would the following setup works?:

    WAN VirtualIP: 1.2.3.102/30 ("CARP" type)
    WAN gateway: 1.2.3.101/30 (the gateway configured for the WAN interface)

    pfSense1 WAN IP: 80.40.20.1/28 (using 80.40.20.14/28 as gateway)
    pfSense2 WAN IP: 80.40.20.2/28 (using 80.40.20.14/28 as gateway)

    1 Reply Last reply Reply Quote 0
    • K
      KOM
      last edited by Dec 9, 2015, 4:10 PM

      but do they have to be on the same network as the virtual IP of the WAN side

      For CARP virtual IP, yes.  All other virtual IP types, no.

      https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

      1 Reply Last reply Reply Quote 0
      • D
        dotdash
        last edited by Dec 9, 2015, 4:52 PM

        @KOM:

        For CARP virtual IP, yes.  All other virtual IP types, no.

        Not in 2.2.x
        You can now have CARP VIPs in a different subnet than the WAN.

        1 Reply Last reply Reply Quote 0
        • K
          KOM
          last edited by Dec 9, 2015, 5:42 PM

          Thanks, I didn't see that caveat.

          1 Reply Last reply Reply Quote 0
          • C
            CDuv
            last edited by Dec 10, 2015, 1:14 AM

            Thanks, that is great news 8)

            1 Reply Last reply Reply Quote 0
            • D
              Derelict LAYER 8 Netgate
              last edited by Dec 10, 2015, 3:52 AM

              Why would you not just use 3 addresses from your /28? Just give back the /30 or ask that it be routed to your CARP address instead?

              Or, better yet, ask them to make the /30 a /29, use that for WAN and ask them to route the /28 to that CARP address.

              I guess I don't get why you'd want to do what you're asking…

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • C
                CDuv
                last edited by Dec 11, 2015, 1:28 AM

                I don't know yet what addresses they can "give" me, the /28 example is one offer I know they have ("Extra 8-IPs pack") but they can be more: So I'm taking informations about what pfSense supports and don't.
                I don't know if they can route my public IP (1.2.3.102) to an other IP and I don't want to change public IP (lots of external out-of-my-hands services use it).

                The really simple and cheap method is to buy a very simple router, place it where my actual pfSense box is (at 1.2.3.102/30) and create a 192.168.0.0/24 network for my 2 pfSense box and the CARP virtual IP (transforming the public IP problem into a private network problem).
                Only drawback: I would have a single point of failure, but it's more or less already the case considering their gateway.

                1 Reply Last reply Reply Quote 0
                • D
                  Derelict LAYER 8 Netgate
                  last edited by Dec 11, 2015, 1:35 AM

                  If they are calling a /28 only 8 IP addresses it sounds like they are anticipating VRRP/CARP on both sides anyway: 3+3+8 = 14.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • C
                    CDuv
                    last edited by Dec 11, 2015, 9:39 AM

                    Oupps… Typo their 8 IPs pack is a /29 (not a /28).

                    My original post used /28 as a general example.

                    1 Reply Last reply Reply Quote 0
                    • D
                      Derelict LAYER 8 Netgate
                      last edited by Dec 11, 2015, 5:09 PM

                      Hmm. A /29 is not 8 usable IP addresses unless it's routed to you. They kind of need to get their act together.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • C
                        CDuv
                        last edited by Sep 21, 2016, 12:35 PM

                        @Derelict:

                        Hmm. A /29 is not 8 usable IP addresses unless it's routed to you. They kind of need to get their act together.

                        It is indeed a routing: I got 8 different public IPs and it all goes to the 1.2.3.102/30.

                        1 Reply Last reply Reply Quote 0
                        • J
                          JeGr LAYER 8 Moderator
                          last edited by Sep 21, 2016, 1:44 PM

                          Hmm. A /29 is not 8 usable IP addresses unless it's routed to you. They kind of need to get their act together.

                          Nope they don't. A pity but quite a few ISPs or Hosting Providers will give you 8 IPs but not route them in a clean way. Either some hack'n'slash P2P Host Routing is done or you get 8 single IPs from different segments. No one said those 8 addresses are from the same block. I know quite a few german (big) hosting companies working that way and it is annoying as hell from a networking perspective. So I won't get my hopes up until I read someone cleanly stating that it actually is a /29 IP block.

                          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            [[user:consent.lead]]
                            [[user:consent.not_received]]