Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP Network Allocation Problem

    HA/CARP/VIPs
    2
    9
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TheGeek
      last edited by

      My setup is like this:

      WAN: Two /24 networks 192.168.1.0 and 192.10.50.0 (On the same cable)
      LAN: A /23 network 10.10.10.0
      DMZ: Bridged with WAN

      In order for the 192.10.50.0 to work and route packets i allocated this network using a ProxyARP on 1 out of 2 pfsenses. (And it works, as it should)
      I have set CARP adresses on both LAN and WAN, and although they sync settings, and CARP is working as it should, i can only access to DMZ and WAN when 1 out of 2 pfsenses are disconnected.
      Each one works individually, but not together.

      So, i need to resolve 2 problems in order to get a full redudant firewall.

      1. How can i solve the issue with the firewalls not working together?

      2. I read this https://forum.pfsense.org/index.php?topic=45209.msg240929#msg240929 but i don't understand how i am supposed to set it up, and which IP i will set as CARP, since i cannot create a CARP network

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Bridging is completely incompatible with pfSense CARP/HA. If you choose to go down that path it is incumbent upon you to make sure all of the necessary spanning-tree pieces are in the right place.

        WAN: Two /24 networks 192.168.1.0 and 192.10.50.0 (On the same cable)

        This is also asking for trouble. Seems it has found you.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • T
          TheGeek
          last edited by

          Unfortunately, it is necessary for me to use bridge as the IPs of the devices i have on my DMZ need to match the WAN's IP.
          So, bridge and CARP are not gonna work?

          Yes, also the situation with 2 networks on one cable cannot change..  :-[

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            It can work, but it's on you to prevent any loops. I am not going down that rabbit hole. Design your network properly.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • T
              TheGeek
              last edited by

              Ok, i see.
              Trust me, if i could, i would design it properly.
              And how could i prevent loops?
              Can you give me a link or something to read about it?

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                I find it humorous that you would be concentrating on HA before fixing such a broken design. If it is worth high-availability it is worth a solid design first.

                You prevent layer 2 loops using spanning-tree protocol

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • T
                  TheGeek
                  last edited by

                  It is humorous, indeed.
                  But still, not in my powers to change this.
                  You wouldn't understand.
                  But thank you very much for your time.
                  I will try to see if HA can be achived, otherwise a cloned machine will be standing by, in case of a hardware failure.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    I understand perfectly.

                    It is those who are making you do this who don't understand.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • T
                      TheGeek
                      last edited by

                      @Derelict:

                      It is those who are making you do this who don't understand.

                      Yep.
                      I guess i am not the only one.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.