Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense HA Setup recommendation with Multiple Public IP Subnets

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    5 Posts 2 Posters 920 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hkjarral
      last edited by

      Hello all,

      I am new user to pfsense, I have deployed and tested it in my environment and it works well. I have used it inline(bridge) mode with Snort. Now I am thinking of going full blown pfsense setup.

      Currently internal servers get public IP directly via switches and pfsense is only doing inspection and blocking in bridge mode.

      What I want is to move all my public IPs on pfsense and use 1:1 NATTING. At the same time I do want to deploy HA setup as well by adding another pfsense box.

      I have done some initial reading, while process seems easy with 2 different ISPs and 2 public subnets but in my case I have 5 different subnets from same ISP. Now from what I have understood in order to set it up I will need as many as 8 NICs to get it working since each CARP IP I define has to have its own WAN interface.

      Would it be possible if I define Multiple Virtual IPs for WAN on same WAN interface ? or what would be best way to use existing NICs with those many subnets.

      0_1538792516548_Network Diagram.jpg

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        I would ask the upstream ISP to keep one of those on the interface and route the rest of them to you on the CARP VIP address.

        To them, it should be changing something like this:

        interface GigabitEthernet0
 ip address 1.1.1.1 255.255.255.224
 ip address 2.2.2.1 255.255.255.224 secondary
 ip address 3.3.3.1 255.255.255.224 secondary
 ip address 4.4.4.1 255.255.255.248 secondary
 ip address 5.5.5.1 255.255.255.248 secondary

        To this:

        interface GigabitEthernet0
 ip address 1.1.1.1 255.255.255.224
!
ip route 2.2.2.0 255.255.255.224 1.1.1.2
ip route 3.3.3.0 255.255.255.224 1.1.1.2
ip route 4.4.4.0 255.255.255.248 1.1.1.2
ip route 5.5.5.0 255.255.255.248 1.1.1.2

        In that example you would make 1.1.1.2 the CARP VIP.

        I used the first /27 network as the interface network just because it was first. I would ask them to use one of the /29s there instead to give you the most flexibility with the most addresses.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • H
          hkjarral
          last edited by

          Thank you for the direction. I will look into it. What about Gateway groups in this case ? Would I need to add those still ?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            No. Your default gateway in that example would be 1.1.1.1.

            You could even put those other subnets on inside interfaces if you wanted, or route them to inside web servers for VirtualHosts, or whatever, and not 1:1 NAT at all.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • H
              hkjarral
              last edited by

              Thank you thats very helpful. I will work with my ISP and see how it turns out. Great support as always :)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.