Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is some level of HA possible with two different public IP addresses

    HA/CARP/VIPs
    2
    3
    693
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      borisnet
      last edited by borisnet

      Hi all,

      Here is a summary of the setup I am trying to leverage:
      0_1533837244229_pfsense-home-setup.png

      As illustrated, my ISP can provide two public IPv4 addressed in different subnets if it is configured in bridge mode and I attached two different devices downstream configured as DHCP clients.

      Based on the two public IP addresses I get on each pfsense, I was wondering the level of HA I could pretend achieving.
      My main point is to have a CARP gateway for the clients on the green LAN so that, whenever I have to do maintenance, I can take pfsense1 down and clients can connect to the internet through pfsense2. When I refer to 'level of HA', I mean that having a glitch in the connectivity is not as critical given the fact it is a home environment. 'Short glitch then connectivity' is >>>>> 'no connectivity'.
      In technical terms:

      • DHCP Server function needs redundancy on the LAN side
      • NAT translations do not need to be sync'ed and technically could not given the configuration

      Then I started thinking about how to leverage the public IP B assigned to pfsense2 for servers in a DMZ like. Mainly setting up a reverse proxy with LetsEncrypt on that Public IP B.

      With all the magic (as I do not fully understand how it works) of synchronization, I am not sure whether I can even have the DMZ interface only existing on pfsense2 as shown below:
      0_1533837790976_pfsense-home-setup-one dmz interface.png

      Since the synchronization has multiple options, I am not entirely whether it is just a matter of selecting a subset of them. My experience has always been with fully redundant setup with CARP up and downstream of the firewalls and full synchronization.

      0_1533840636196_pfsense-xml-options.png

      My questions:

      • is it correct to say that if I do not have a symmetrical configuration, I can just uncheck the box in the sync options to get the rest working?
      • could the secondary firewall act as a secondary for the LAN and just a standard gateway for the DMZ? (I know it should from a routing perspective however with the layer of sync, I am not fully clear on the restrictions)

      Thanks.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        HA is completely incompatible with dynamic addressing such as DHCP.

        If it is worth setting up HA, it is worth doing right.

        You want a /29 from the provider.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • B
          borisnet
          last edited by borisnet

          I understand you may have a lot of support questions but would you mind answering my actual questions at the bottom if possible?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.