Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense 2.4 & CARP with DHCP-on-WAN

    Scheduled Pinned Locked Moved Routing and Multi WAN
    1 Posts 1 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      ttmcmurry
      last edited by

      Hello - hoping I'm missing something simple here.

      My interfaces are:

      WAN1 - DHCP only (Gets a public IP, but not a static IP)
      WAN2 - DHCP only (Gets a public IP, but not a static IP)
      LAN
      CARP

      Without considering CARP, my WAN setup works.  I have both ISPs in a tiered Gateway Group and failover between ISPs works as expected.  I have no static routes defined.  Neither WAN has a checkmark for the "this will select the above gateway as the default gateway" option.

      I have CARP working, everything one firewall 1 is replicated to firewall 2, firewall rules are working.  No problems here.

      On the LAN:
      FW1 - 10.10.50.1
      FW2 - 10.10.50.2
      VIP - 10.10.50.254

      However, from this point it gets a little "weird" - I know I need to NAT the traffic from the VIP outbound, and CARP needs to be aware of the WAN; but I have no idea if my only option are DHCP IPs from the WAN side to complete the CARP setup.

      Every document I've read says I need to assign a VIP in the WAN subnet; and by this metric I would need two VIPs, one in each WAN subnet.  I don't know how to achieve that in pfSense when the WAN IP is subject to constant change.

      On a Cisco ASA this is not even an issue.  Failover is a matter of a very similar process without pfSense's requisite VIPs.  Enabling high availability failover only requires a standby IP in the LAN(s) but not necessarily for the WAN(s).

      Any help on this would be great.  I feel like the answer might be "put a router in front of the firewall" - even though pfSense is perfectly capable of routing.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.