Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP alternative

    HA/CARP/VIPs
    7
    24
    5.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SteveITS Rebel Alliance @michmoor
      last edited by

      @michmoor We have a client using private IPs as I described. Both routers can update. They actually had a small block but at the time needed multiple IPs for various services so they were all shared. (Now just one)

      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
      Upvote 👍 helpful posts!

      M 1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @SteveITS
        last edited by

        @SteveITS Yeah you can use a RFC1918 layer but its just not as clean as putting routable addresses on the WAN. Double-NAT 😢

        The concern i have with this type of design is port forwarding and/or hosting services. Not ideal but can work.

        @jimp if the secondary firewall needs to install patches/packages, is that when you just flip it to Master (One WAN IP being shared).

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        S jimpJ 2 Replies Last reply Reply Quote 0
        • S
          SteveITS Rebel Alliance @michmoor
          last edited by SteveITS

          @michmoor maybe but since the shared “CARP” public IP is used on WAN there’s no practical difference in my mind.

          Edit: yes if using only one IP it’d have to be master to update pfSense. Or pfB lists etc.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          1 Reply Last reply Reply Quote 1
          • jimpJ
            jimp Rebel Alliance Developer Netgate @michmoor
            last edited by

            @michmoor said in CARP alternative:

            if the secondary firewall needs to install patches/packages, is that when you just flip it to Master (One WAN IP being shared).

            It needs to have packages and updates at all times, not just when it's master. Otherwise you'd have to fail over to it to do any sort of maintenance, which defeats the idea of HA to reduce disruptions.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.