Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Could use carp if WAN use public IP?

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    3 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      akong
      last edited by

      Hello,
      Please see attachment.I want use public ip to carp wan ip.I also set sync ip to sync backup pfsense server.
      So,
      WAN: xx.xx.91.240
      LAN:10.168.169.254
      SYNC:192.168.1.0/24

      Could I set one wan ip address to two pfsense server?
      If can't.
      Could I need add ip share machine in front of pfsense?
      123.jpg
      123.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire
        last edited by

        I'm pretty sure you need three public IPs (same subnet) to use CARP.

        https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • dotdashD
          dotdash
          last edited by

          You can use a single public IP, with some restrictions.
          Here are some notes I took, not definitive, but they worked for me.

          Put private ips on the WAN interfaces of the primary and secondary firewalls.
          I used the public ips with a 10. for the first octet and the correct subnet mask
          If it's a /30 you may have to use .1 and .2 or something. It probably doesn't matter.
          Leave the gateway blank for now. Un-check the block private option.

          Make sure you are cabled in correctly, you may want to put the secondary in carp maintenance mode

          Add a CARP vip on the interface with the public IP.

          Add the gateway

          add an outbound nat rule, something like this-
          WAN 'this firewall' * * * (CARP IP) * NO

          Restart dpinger after adding the rule.

          Update interface with gateway.

          Gateway status should show up on primary, but will be down on secondary.

          Add port forwards and outbound nat as usual, using public carp. (Not interface address)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.