pfSense High Availability exapand existing firewall with multi wan and multi ip

kiokoman · Oct 21, 2020, 3:30 PM

I'm trying to help a guy on the Italian forum
is it possible to expand this configuration to use pfSense High Availability with carp? if so it's not clear how to configure the wan side as all the example / docs and #hangout on the net talk about a single static IP per wan
this is the actual situation:
there are services that are available only on a specific IP like email server and web server
as it is now all IP's are configured as "IP alias" directly on pfsense, both modem are in bridge
isp 1 have 32 public ip
isp 2 have 16 public ip

viragomann · Oct 21, 2020, 3:30 PM

@kiokoman said in pfSense High Availability exapand existing firewall with multi wan and multi ip:

is it possible to expand this configuration to use pfSense High Availability with carp? if so it's not clear how to configure the wan side as all the example / docs and #hangout on the net talk about a single static IP per wan

There is nothing special with that. If you know how to setup HA it's simply the combination with Multi-WAN.
Get a switch (or two to have WAN redundancy) to connect the WANs to both boxes.

@kiokoman said in pfSense High Availability exapand existing firewall with multi wan and multi ip:

there are services that are available only on a specific IP like email server and web server
as it is now all IP's are configured as "IP alias" directly on pfsense

It's the same with HA, apart the IP aliases are hooking up on the WAN VIPs instead of WAN address.

The Outbound NAT for local networks (not the firewall itself) has to be reconfigured to use the WAN VIPs or whatever IP alias you want.

kiokoman · Oct 21, 2020, 4:32 PM

what i don't understand is.. we need one carp address for each public ip ? bc i don't understand how i can nat 40+ public ip if i have only one carp address

viragomann · Oct 21, 2020, 4:42 PM

@kiokoman said in pfSense High Availability exapand existing firewall with multi wan and multi ip:

what i don't understand is.. we need one carp address for each public ip ?

Maybe you've read that in a very old tutorial.

Tody both master and slave should have a public IP and a third IP is needed as CARP. The CARP address can be used for services on or behind pfSense.
All other public IPs you can add as IP alias as you did in the single installation, hooking up on the WAN CARP IPs (WAN1, WAN2) instead of the WAN IPs.

kiokoman · Oct 21, 2020, 4:54 PM

thank you very much, it's more clear now