Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSense HA question about public IPs

    HA/CARP/VIPs
    2
    6
    561
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      Operations
      last edited by Operations

      I have got two questions about running PFSense (virtual) in HA mode.

      Among other links i checked out this one:
      https://m.youtube.com/watch?v=-1Og5ogkyZY

      I have got two locations with different setups. I would like to have PFsense with two HA nodes on both. Locations has got nothing to do with each other i just want to setup HA on both locations.

      My questions are about the public IP's.

      1. Location one had got fiber connection with a /29 IP block. Do the public IP's needed for HA need to be unused? I use all the public IP's (NAT rules). So i don't have unused public IP addresses.

      2. Location two has got one WAN IP but i got a GRE tunnel which gives me a /29 IP block. Can i use the IP's i got from the GRE tunnel for HA? Also all the IP addresses are used.

      DerelictD 1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate @Operations
        last edited by Derelict

        @operations said in PFSense HA question about public IPs:

        I have got two questions about running PFSense (virtual) in HA mode.

        Among other links i checked out this one:
        https://m.youtube.com/watch?v=-1Og5ogkyZY

        I have got two locations with different setups. I would like to have PFsense with two HA nodes on both. Locations has got nothing to do with each other i just want to setup HA on both locations.

        My questions are about the public IP's.

        1. Location one had got fiber connection with a /29 IP block. Do the public IP's needed for HA need to be unused? I use all the public IP's (NAT rules). So i don't have unused public IP addresses.

        No, the CARP address can and should be used for the port forwards, outbound NAT, etc. The interface addresses can be used but it is of limited utility. For instance it is common to open a rule to the webgui on both WAN interface adddresses so you can failover and maintain solid contact with both nodes.

        1. Location two has got one WAN IP but i got a GRE tunnel which gives me a /29 IP block. Can i use the IP's i got from the GRE tunnel for HA? Also all the IP addresses are used.

        That is less clear. Which node is the GRE tunnel active on? The main problem is the backup node (usually the secondary node) needs internet access all the time for updates, DNS resolution, etc.

        If the GRE is on a router in front of the HA pair it could work. If it is active on the primary node or something like that, probably not.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        O 1 Reply Last reply Reply Quote 0
        • O
          Operations @Derelict
          last edited by

          @derelict said in PFSense HA question about public IPs:

          @operations said in PFSense HA question about public IPs:

          I have got two questions about running PFSense (virtual) in HA mode.

          Among other links i checked out this one:
          https://m.youtube.com/watch?v=-1Og5ogkyZY

          I have got two locations with different setups. I would like to have PFsense with two HA nodes on both. Locations has got nothing to do with each other i just want to setup HA on both locations.

          My questions are about the public IP's.

          1. Location one had got fiber connection with a /29 IP block. Do the public IP's needed for HA need to be unused? I use all the public IP's (NAT rules). So i don't have unused public IP addresses.

          No, the CARP address can and should be used for the port forwards, outbound NAT, etc. The interface addresses can be used but it is of limited utility. For instance it is common to open a rule to the webgui on both WAN interface adddresses so you can failover and maintain solid contact with both nodes.

          1. Location two has got one WAN IP but i got a GRE tunnel which gives me a /29 IP block. Can i use the IP's i got from the GRE tunnel for HA? Also all the IP addresses are used.

          That is less clear. Which node is the GRE tunnel active on? The main problem is the backup node (usually the secondary node) needs internet access all the time for updates, DNS resolution, etc.

          If the GRE is on a router in front of the HA pair it could work. If it is active on the primary node or something like that, probably not.

          What is the difference between CARP and interface addresses?
          Looking at this situation, i have got .153
          Till .159.

          I should just follow the HowTo video and pick 3 numbers between 153 and 159? :)

          The other location, no there is no router in front of PFSense. The current single installation/node handles the GRE tunnel. So this is most likely not possible right?

          DerelictD 1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate @Operations
            last edited by

            @operations

            https://docs.netgate.com/pfsense/en/latest/highavailability/index.html#carp-overview

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            O 1 Reply Last reply Reply Quote 0
            • O
              Operations @Derelict
              last edited by Operations

              @derelict

              Thanks again.

              I read a bit more and i am wondering if it is possible at the location at all...
              I will tell you why, it is a fiber 500/50 connection. It is setup by a PPPoE (DHCP) connection. Which gives me one public IP.

              I have also setup a extra interface with a static IP (.153) and added 5 virtual IPs. (.154 till 159). I have got an 0.0.0.152/29 subnet.

              I have tested trying to run the PPPoE connection twice, this doesn't work.

              Am i right ro assume that it is not possible then?

              DerelictD 1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate @Operations
                last edited by

                @operations HA on dynamic WANs (DHCP, PPPoE) is generally unsupported.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.