Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Public CARP IP in LAN

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      Sander88
      last edited by

      Hi,

      I'm have trouble to get a public CARP IP working in the LAN (on a lab PFSense HA setup).

      Some details about the setup:

      • The LAN has a public network range. Let's say 1.2.3.0/26
      • I have disabled outbound NAT.
      • I have created firewall rules to allow WAN traffic to the LAN (for example a ping and SSH).
      • The PFSense have both an IP-address in another network range and a shared CARP address. Let's say 5.6.7.0/28 .

      Note: 1.2.3.0/26 and 5.6.7.0/28 are both example ranges; let's think of them as public IPs assigned by an ISP.

      IP details:
      PFSense box 1 - WAN: 5.6.7.1
      PFSense box 1 - LAN: 1.2.3.1

      PFSense box 2 - WAN: 5.6.7.2
      PFSense box 2 - LAN: 1.2.3.2

      PFSense shared - WAN (CARP): 5.6.7.3
      PFSense shared - LAN (CARP): 1.2.3.3

      Test server - LAN: 1.2.3.10

      1.2.3.10 is also added to the WAN interface of PFSense as a CARP address.

      Current results:

      • I can always ping the WAN CARP IP (5.6.7.3).
      • I can ping the test server from time to time (1.2.3.10). It works around 5 minutes and then it stops responding to ping for around 5 minutes. This process repeats itself.
      • When I try to SSH to the test server (1.2.3.10), I get 2 possible resuls: the SSH service of the PFSense master (not the test server!) or a timeout.

      Did I forget something to configure correctly?

      Please let me know when you need more details.

      Regards,
      Sander

      1 Reply Last reply Reply Quote 0
      • S Offline
        Sander88
        last edited by

        I just looked a bit deeper into the logs and found some blocks by this rule:
        antispoof log for $WAN tracker 1000001570

        What's this? Is it some kind of default rule to prevent IP spoofing?

        1 Reply Last reply Reply Quote 0
        • JeGrJ Offline
          JeGr LAYER 8 Moderator
          last edited by

          Test server - LAN: 1.2.3.10
          1.2.3.10 is also added to the WAN interface of PFSense as a CARP address.

          Huh? Why would you add a LAN IP on the WAN interface!? That makes no sense? If you have 2 public IP ranges, the range you use in LAN should be forwarded/routed by your ISP to the CARP IP you used in the other public IP range. Is that the case? Otherwise how is traffic to 1.2.3.x supposed to know to hit your firewall in the first place!

          If you map that IP on your WAN side, then you can't use IPs from it on your LAN side. That would be totally confusing for the routing as IPs from the same subnet show up on both sides. Either get that second IP range routed to an IP in your first one (preferred for routing) or use a private subnet on LAN and do 1:1 NAT on your WAN with those other addresses.

          Greets

          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

          1 Reply Last reply Reply Quote 0
          • S Offline
            Sander88
            last edited by

            We have always used Proxy ARP for a single PFSense host setup, but now we are experimenting with a HA setup. So that's why I expected I could just change the type of the IP (1.2.3.10) from Proxy ARP to a CARP type of IP.

            Getting the LAN public IP range routered to the WAN CARP IP will be difficult (I guess my ISP won't do this). So are there any other solutions to get this working (in HA, without NAT and without routering requirements by our ISP)?

            1 Reply Last reply Reply Quote 0
            • JeGrJ Offline
              JeGr LAYER 8 Moderator
              last edited by

              in HA, without NAT and without routering requirements by our ISP)?

              If you wanna make it really easy, use a private IP subnet in your LAN with the same mask as your 1.2.3.4/26 network. Then you'd have to add every CARP IPs on WAN from 1.2.3.x/26 you want to have in your LAN. Then create a 1:1 NAT entry, use the first IP from 1.2.3.4/26 as external, use the first IP from your new private network /26 as internal and add the mask /26 (!).
              As the entry tells you, that will map a whole range 1:1, so 1.2.3.1 will map to e.g. 10.2.3.1, .2 to .2 etc.

              All you have to maintain is

              a) the CARP VIPs (add as needed, as you map the whole /26 1:1 you don't have to add further mappings)
              b) the filter rules (on your WAN interface add allow rules as needed but keep in mind you'll have to write your rules for the private network on LAN as 1:1 NAT happens just before the filter rules will try and match)

              Thats the easiest I can think of. It's dirty (as NAT always is), but if you can't get your /26 routed via the 5.6.7.8/28 network, that's all you can do. I'd try to push and ask them to route it as every networking guy will tell you, that it's not that nice to have different IP ranges on the same L2 network, so the networking/firewall guys from the ISP will sure be on your side ;)

              Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

              If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

              1 Reply Last reply Reply Quote 0
              • S Offline
                Sander88
                last edited by

                Thanks for the reply. I will once more to ask my ISP to get the routering setup correctly. I don't want to use dirty solutions like NAT  ;)

                1 Reply Last reply Reply Quote 0
                • S Offline
                  Sander88
                  last edited by

                  I have got the routing setup by my ISP now. Works nicely.  :) . Thanks again for your quick reply.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.