IP Aliases on CARP IP?

  • Hi,
    so far I have a classical setup:
    A single pfsense with a single WAN IP (/30).
    On that WAN IP (/30) there is another public IP network (/27) routed, I can access those IPs with IP Alias.
    Everything works fine.

    Now I want to add another pfsense and setup hardware redundancy.
    I will get a new WAN network (/29), so I have 2 public IPs for firewalls and 1 as CARP IP.

    Can I get the /27 network accessible if its routed on the CARP IP?
    Because if I set a new IP Alias, I have to define the interface.
    What would I define in that case?

    Thanks for your support

    EDIT: Do I have to switch all my IP Aliases to CARPs?

  • LAYER 8 Netgate

    When you get your /29 and convert to two interface addresses and a CARP VIP, just edit your IP Alias VIPs and change the interface there from WAN to the WAN CARP VIP.

    The IP Aliases will then follow the CARP VIP based on which node is CARP MASTER.

    0_1527501264552_Screen Shot 2018-05-28 at 2.53.02 AM.png

    CARP STATUS (Note only one CARP MASTER the others are all IP Alias VIPs "stacked" on it.)
    0_1527501331179_Screen Shot 2018-05-28 at 2.53.37 AM.png

  • Sounds great!
    Thank you very much.

    An additional Question: So it would make no advantage to change the IP Aliases to CARP?

  • LAYER 8 Netgate

    I personally really like the IP Alias VIPs stacked on the CARP VIP.

    You only have one "stream" of CARP heartbeats and you can move dozens of VIPs at a time from primary to secondary and back.

    The only time I generally make multiple CARP VIPs is for cleanliness in cases where you have VIPs in multiple subnets. I generally make one VIP per subnet and stack the IP Aliases that are also in that subnet on that VIP. This is a personal preference.

    If you make all of them CARP, then you need a VHID for each of them and any missed advertisement will result in that VIP swinging to the other node while the rest remain. This is never what you want.

    The stacked IP Alias technique reduces the advertisement traffic to that of just the one VIP.

Log in to reply