HA Routers with a /30 WAN
-
I have a setup that is currently running two WAN connections each on their own /29
I'm trying to bring online a replacement connection but the gateway monitoring won't play ball.
My setup is also twin router with a HA solution - they are Netgate appliances.The ISP provides a /30 that all traffic must be routed over. (There is a /29 to be routed over that but one problem at a time..)
I was looking at IP Aliases but they are router specific and not HA so back to CARP it is.
Whichever router is CARP master can use the line (ping the gateway and out through to the Internet) from SSH. Actual response is a bit varied. Sometimes the gateway shows as up, works and will pass traffic. Sometimes it is up but won't pass traffic. Sometimes it shows as down. Even if I disable gateway monitoring and the action I can still be left with it working from SSH but not for routing purposes.
Anyone any experience with running a /30 WAN with HA?
-
https://docs.netgate.com/pfsense/en/latest/book/highavailability/index.html#ip-address-requirements-for-carp
-
Do you mean the WAN only has a /30 assigned, or they are using a /30 as the transit for your other subnets? If it's a transit, you might want to put another router in front of the firewalls (which I know is another point of failure) or ask the provider to change their configuration. If you really need to run carp with only one public, it can be done, with some limitations: https://forum.netgate.com/topic/126274/carp-with-1-wan-ip
-
If you want to run HA you would be better off with a /29 WAN interface subnet and no /30 at all.
-
@dotdash Thank you for the link dotdash - I previously had read the link @Grimson posted and thought it was only possible to have it with each router having an IP on the same subnet. When I first set it up as per the discussion you linked to it worked but then didn't. I couldn't find the link again.
@Derelict I know I would be better off with a /29. The existing WAN connections run that way but the supplier won't do direct /29 routing so that is not an option. At this point I'm just trying to get back to a point where the WAN works with the /30 and then deal with the /29 later.
Unfortunately I'm not further. The WAN connection works because I can ping from the shell but it is not usable for NAT.
-
Right. A /30 isn't a viable option for HA.
-
@derelict When I initially set it up as discussed in the link that dotdash posted it actually worked but then the gateway went down and I swapped onto the new Netgate routers and haven't been able to get it back up. Are you saying that the method discussed in the link is not actually viable?
