CARP with 1 WAN IP



  • Hello everyone!

    I encounter a blockage in my Failover PFsense configuration.
    My Sync works perfectly on the 172.16.1.0 network.
    So I wanted to set up a CARP configuration in order to allow an HA to all my internal network but also to be able to access my PFsense from the outside if one of the two nodes falls.

    The problem is that I only have one public IP delivered by my service provider (OVH).
    I don't know how to configure CARP with only one public IP.

    Thank you in advance for your help:)



  • I'm pretty sure I've posted this before, but here are some notes:
    I say WAN here, if it's not your WAN, then use the correct OPTx interface instead.
    Put private ips on the WAN interfaces of the primary and secondary firewalls.
    I used the public ips with a 10. for the first octet and the correct subnet mask
    If it's a /30 you may have to use .1 and .2 or something. It probably doesn't matter.
    Leave the gateway blank for now. Uncheck the block private option.

    Make sure you are cabled in correctly, you may want to put the secondary in carp maintence mode

    Add a CARP vip on the interface with the public IP.

    Add the gateway

    add an outbound nat rule, something like this-
    WAN 'this firewall' * * * (CARP IP) * NO

    Restart dpinger after adding the rule.

    Update interface with gateway.

    Gateway status should show up on primary, but will be down on secondary.

    Add port forwards and outbound nat as usual, using public carp.



  • Hi, sorry for the response time and thank you for your information:)
    I applied what you advised me, but unfortunately, I still don't have Internet with my CARP configuration.

    Let me explain myself:

    I made a VLAN dedicated to my SYNC with IP master 172.16.1.2 and slave 172.16.1.3. The Sync works perfectly
    Afterwards, I configured my WAN interfaces with IP master 172.17.1.2 and 172.17.1.3 respectively.

    I then added the public IP of my default gateway to each of my nodes.

    After that, I added my VIP carp (which was correctly replicated on my second node).
    At this point, my first node has a master CARP status and my second node has a slave CARP status.

    Finally, I created my NAT outbound rule like this:

    WAN Interface, Source Any, Source Port *, Destination *, Destination Port *, NAT Address: My public IP, Nat Port *

    I then created a test FW rule forcing the use of my public gateway for all traffic coming from my WAN interface.

    Despite this configuration, I still don't have an Internet connection, would I have missed a configuration?



  • Sounds about right, but I would use more specific NAT rules. Mine are something like-
    WAN 'This Firewall' * * * (Public carp VIP) * (no static)
    WAN (lan subnet) * * * (Public carp VIP) * (no static)



  • I applied this same configuration to my NAT.
    My Gateway remains offline on my master, I have restarted, as you advised me, the dpinger service but the logs return a no route to host. This Gateway is however well configured and is applied as the default Gateway.
    (I've enabled the promiscious mode in my vswitch)



  • @sagaroth:

    My Gateway remains offline on my master, I have restarted, as you advised me, the dpinger service but the logs return a no route to host.

    Try, from Diagnostics / Ping, selecting the Public CARP VIP as the source address, and pinging the gateway.
    Just to verify, subnet mask on the CARP VIP is correct and gateway is reachable from that subnet?



  • The ping doesn't work even if I put the CARP VIP as a source.
    After verification, the subnet mask of my CARP VIP is correct.
    My gateway uses this same mask and is in the same network as my VIP CARP.



  • I added my VIP LAN CARP today that I configured like this:

    IP LAN PFsense1:10.10.10.10.252/24
    IP LAN PFsense2:10.10.10.10.253/24
    VIP LAN: 10.10.10.10.254/24

    What surprises me is that this VIP CARP is not reachable from my LAN network (A Virtual Machine in 10.10.10.61).



  • @sagaroth:

    (I've enabled the promiscious mode in my vswitch)

    Any way you can test with a physical setup to rule out the hypervisor config? Honestly sounds like something is up with the vswitch if you can't ping each box from the vmnetwork…



  • I also think there is a problem with the hypervisor, because my WAN connection works perfectly without CARP.
    Unfortunately I don't have the possibility to physically test this configuration because this hypervisor is hosted at OVH.



  • @dotdash:

    Sounds about right, but I would use more specific NAT rules. Mine are something like-
    WAN 'This Firewall' * * * (Public carp VIP) * (no static)
    WAN (lan subnet) * * * (Public carp VIP) * (no static)

    Good Morning!

    I followed the official CARP Tut from Netgate Wiki and also yours (dotdash).

    I am using 2.4.2-RELEASE Version on supermicro servers (2 identical machines), now i can succesfully Ping the WAN-CARP-VIP (193.xy.x.y.), the LAN-CARP-VIP (172.16.x.y) from INSIDE my LAN.
    Pinging my client (172.16.x.30) form pfsense to LAN is also possible.

    How can I prove that the CARP is working correctly? Especially I suffer from not being able to ping any IP outside (WAN-IP-range). NAT-Rules are set like dotdash's, reboots took place too. pinging devices on WAN is messing up with "Request timeout" on Windows - Client, and on PF with "ping: sento: Host is down"

    Would be more then nice if you could help me out of this! Have a nice day and greetings from Austria



  • You can't ping from a machine on the LAN, or from the firewalls? Not being able to ping outside from the secondary is normal.
    Best way to test HA is to shut down the primary during a slow time, and verify machines on the LAN can still get out.



  • To get around the hassle of this setup, much like my own you can always do the following:

    • Virtual side make the vNICS MAC for both boxes the same for the WAN interface.

    I use a termination box in front of mine for VDSL and a switch before it goes into the virtual environment.

    That's pritty much it. Will work, but note it will show as up on both boxes for WAN interface and the WAN graph will look a little odd on the standby box as expected.