How to use CARP Redundancy Without NAT?



  • Hi,

    I got a question about CARP and routing a vIP.

    Do I need VIP1 in my drawing? I want failover and I got a /29 net with static IPs.
    How can I setup a upstream gateway for VIP1?
    Did I understood wrong how it works?

    How can I setup a route from VIP2 to VIP1 or any client behind this?
    I want a routing between the subnets not NAT.

    Can I find some more detail about all of this in the pfSense Cookbook?

    The IPs / subnets are chossen randomly and do not represent any real subnets.
    It is just for logic.

    Thank you for help.

    CAT



  • @cat1510:

    Do I need VIP1 in my drawing? I want failover and I got a /29 net with static IPs.

    Yes, VIP1 is the shared WAN IP. In a CARP setup any interface of the master box shares an IP address with the backup.
    The VIP1 is your default WAN address. You should also use this IP for outbound NAT translations. This has to be set manually in Firewall > NAT > Outbound.

    @cat1510:

    How can I setup a upstream gateway for VIP1?

    System > Routing > Gateways

    @cat1510:

    How can I setup a route from VIP2 to VIP1 or any client behind this?

    There is no route needed, since you have set the upstream gateway. The gateway is the default route on pfSense.
    Your hosts default routes have to point to VIP2, so traffic is directed to pfSense and there it is forwarded to the upstream gateway.

    @cat1510:

    I want a routing between the subnets not NAT.

    So the subnet 93.12.17.32/27 has to be routed to VIP1 by the ISP or any other address which hooks up on it.
    Okay, so you don't need the outbound NAT as mentioned above.

    Here are some more details:
    https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)

    Your drawing shows two ISP uplinks, but the IPs are in the same subnet. So it want just be one uplink split by a switch.



  • Thank you Firagomann.

    XML Sync is working fine on both nodes.

    System > Routing > Gateways

    Of course I know how to set up a route / gateway / interface.
    There is no way to define a upstream Gateway because u cannot select the VIP1 interface.

    I subscribed in the meantime to pfSense Gold Membership.
    They exactly describe my topology but there is no example of the rules / gateways etc.
    ALL other guides / howtos / tutorials only use CARP with NAT.

    It is Chapter: Providing Redundancy Without NAT in the pfSense Book.

    Maybe someone has a suggestion how to go on?

    Thank you.

    CAT



  • Hi,

    @cat1510:

    There is no way to define a upstream Gateway because u cannot select the VIP1 interface.

    A VIP isn't an interface but a virtual IP address which is assigned to an interface.

    When adding the gateway just select the WAN interface or whatever it is connected to and check "Default Gateway".



  • Thank you.

    My problem is solved. I bought support and we resolved my problem very quickly.

    The most important rule was: VIP Address should have the lowest IP.
    Both nodes have the same count of physical interfaces.

    Example: we have a 10.0.0.0/29 net from ISP for redundant uplinks.

    10.0.0.1 = Upstream Gateway from ISP (regular the lowest IP)
    10.0.0.2 = WAN VIP1
    10.0.0.3 = pfSense Node1
    10.0.0.4 = pfSense Node2

    Second Net: 10.0.1.0/29
    10.0.1.1 = ROUTED VIP2
    10.0.1.2 = pfSense Node1
    10.0.1.3 = pfSense Node2
    10.0.1.4 = first possible Computer/Server

    Turn Off NAT.
    Set NAT -> Outbound to Manual Outbound NAT and delete all rules you don't need for the routing interfaces.

    On the Computer you have to set the gateway to 10.0.1.1 and you can set DNS to this too if DNS Forwarder is used.
    Important is that on the router of the ISP for next hop for the routed 10.0.1.0/29 net is: 10.0.0.2
    All other routes and stuff makes the kernel by itself.

    So the routing with CARP should work.

    Hope this helps someone.

    CAT


Log in to reply