Configure an PPPoE on an CARP IF

  • Hello,

    I've read that since version 2.4.3 there is the possibility to configure PPPoE on an CARP Interface (VIP), so it will only be active on the master node.

    How is the procedure for this? I tried it, but could not get an successful login with PPPoE if I assign the PPPoE to an CARP VIP.

    From my provider I have to use vlan 7, so I assigned the vlan-IF to my WAN IF and I configured an ipv4 IP to this IF. Afterwards I configured an CARP-VIP for this IF. This CARP-VIP I did assign to the PPPoE configuration.

    With "ifconfig" on the shell, I see both ipv4 IPs I configures (from IF and the CARP-VIP) and an "empty" pppoe-IF. (So no "login" is done via pppoe)

    What is the thing, I am doing wrong?

    Thx, for your help!

  • I have exactly the same question. (I am assuming the facility is still available on pfsense 2.4.4).

    I can find the reference to the facility added at 2.4.3 (, however, I can't find any explanation on how to use this facility.

    In my situation I have a redundant (dual diverse path) main Internet connection that is supposed to be 100% reliable, however, we also have a PPPoE ADSL 'backup' (with a single static address) that I would like connect directly to the pfsense HA pair.

    From the references that I have found to this change in pfsense 2.4.3 it looks to be exactly what I need. However, I have not found any information on exactly how to make it work.

    Does anyone know how to configure a PPPoE link on a HA pair so that only the master is active?

    Thanks in advance,

  • Hi,

    I've found out by now, it's actually quite simple.

    First, you add an Carp Interface for your DSL COnnection. (on each machine of you HA pair) Configure this CARP IF on the correct VLAN, you need for this.

    Add an CARP IP address.

    Go to "Interfaces / Interface Assignments" --> PPPs.
    Add the PPP Connection and choose the Carp IP as "Link Interface(s)".

    This is working for me :)

    Hope it helped!

  • Thanks Beerman,

    That sounds remarkably straight forward - I will prototype it and see what happens.

    Thanks again,

  • OK,

    This procedure does work, although there are a few tricky bits. So here is a slightly more detailed explanation of what Beerman provided (I hope that I did this correctly). I tested this on the 2.4.4-p1 release of pfsense in a lab environment, the switch to production is a few days away:

    1. Add an Interface that will connect to the ADSL modem. This is either a direct NIC, or possibly a VLAN. I called my Interface 'ADSLMODEM' (very original..). You need to allocate a static IP address to this interface on both of the HA pair (otherwise you can't add a CARP IP). As far as I can see these static IPs don't figure in any way in the PPPoE, so you just use a subnet that you are not using anywhere else. (In my test I used and .3)
    2. Add the CARP IP to the ADSL modem interface. Give this an appropriate IP address, use all the normal CARP settings. (My test was
    3. At this stage I checked that the CARP status showed the interfaces as Master on the Master, and Backup on the Backup of the HA pair. So far, so good. If not, check your cabling, switches, look for typographic errors etc.
    4. Use Interfaces/Assignments/PPPs and add a PPPoE device. This is the important part: you need to select the CARP IP address ( as the 'Link Interface'. The IP address will just be in the drop down list.
    5. Now on Interfaces/Assignments you can add an interface using the the PPPoE that you have defined. You will find a an entry called 'PPPoE(<somejunkhere>)' in the list of possible 'Network Ports', this is the 'port' to use. After you click '+Add' and 'Save' you click on the 'OPT??' link to edit the new interface - I renamed mine from 'OPT??' to 'ADSL'. Check that the 'IPv4 Configuration Type' is 'PPPoE' - for some reason when I did this step the field was occasionally something else - make sure you select PPPoE and then all the details (login+password) will appear correctly in the interface parameters down the screen. Make sure that you also enable the interface.

    At this point it should all be working. I checked a number of things about the configuration at this point:
    a) In Status/System Logs/PPP on the master firewall there was logging showing the PPPoE trying to establish.
    b) In Status/System Logs/PPP on the backup firewall the logging showed that PPPoE was configured, but nothing was logged about attempting to establish a connection.

    Now I connected my ADSL Modem to the appropriate NIC/VLAN and the master firewall immediately established the PPPoE link.

    At this point I disabled CARP on the master firewall and the HA pair switched over, and what was the backup brought the PPPoE link up, the disabled master logs showed PPPoE as inactive. Enable CARP on the master firewall and the PPPoE link switched back.

    As a final test I added appropriate firewall rules to the 'ADSL' filter and checked some inbound connections using the ADSL circuit. As far as I could see everything worked as expected.

    Thanks again to Beerman for the all important and key information on how to do this.


  • This works.
    I just converted a pppoe interface to this just by reassigning the link to the carp ip.
    It is not statefull failover, but in a ppp world is as close as it can get.

  • Hi @TugBoat and @netblues,
    have you tried also the failover to backup CARP node with dynamic PPPOE?

    I've found some strange issues:

      1. main online, backup online => everything is working fine, just main has PPPOE active
      1. main goes offline => PPPOE is correctly connected on backup
      1. main back online => PPPOE it's trying to connect on main, but it's not disconnected on backup (so main it's unable to connect)
      1. after power off and power on again the backup, main connects but backup still tries to connect

    Now I have main connected and backup that still tries to connect, but I don't know how to revert back to initial situation...

    EDIT: Found the issue in case it could be useful for someone else, on backup node the PPOE was still pointing to the local interface and not to the CARP IP Address

  • Hi, sorry to dig this up but it's the best (only?) documentation regarding CARP and PPPoE. I followed the hints of this thread and got a working setup. Everything including multiple VLANs, VLANs routed over vpn work just fine. But...

    Every once in a while (every few hours) I get timeouts accessing the internet from the LAN. It's about 5-10 seconds. I checked and the master doesn't switch, the pppoe interface doesn't reconnect. I'm at a loss what's causing it.

    I realized the only thing missing from this thread is outbound NAT. How do you have it configured - as the documentation states to go with manual and set a VIP as the translation address which doesn't seem to apply.

    Thanks !!

  • Outbound nat is set manually to the ppp interface assigned (since this is the one that gets the public ip.)
    This works and is quite stable for a long time now. I doubt its nat.
    Go to status monitoring and see if you have issues with your isp.

  • That's how I setup outbound NAT thank you for confirming it's the correct way.

    @netblues said in Configure an PPPoE on an CARP IF:

    Go to status monitoring and see if you have issues with your isp.

    Yes, that's what I checked and nothing. Everything started the day I enabled ha/carp so it's quite a coincidence if it's something else.

  • LAYER 8 Moderator

    @icesense1701 said in Configure an PPPoE on an CARP IF:

    Yes, that's what I checked and nothing. Everything started the day I enabled ha/carp so it's quite a coincidence if it's something else.

    Also check for anything other gateway related or if you are using DNS resolver or forwarder, perhaps check the DNS logs, if it isn't the connection you are loosing but DNS being restarted/hanging up.

  • Also check in system/advanced/networking, uncheck reset all states, just in case.

  • Just to follow up I seem to have fixed it with brute force. I rebooted the pfsense vms once more and all the switches. Also some vlan's didn't have the proper dhcp settings (failover ip) - shouldn't matter because the timeouts were on properly setup vlans but I fixed those too. I didn't experience any more issues for the past two days. Thanks all !

Log in to reply