Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Virtual IPs for compatibility with ISP

    HA/CARP/VIPs
    3
    4
    615
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cwdolphin
      last edited by

      Hi folks,

      I'm doing a new line setup for a company that has a dual pfsense system currently set up with a /29 WAN using CARP. Each router has one IP and then there is a CARP VIP which traffic is routed over. This allows the routers and NAT devices to access the Internet.

      In comes a new provider. They won't provide a direct /29. Instead they provide a /30 and the /29 is routed via the /30. That blows my CARP setup out of the water as there is only one WAN address now.

      I don't know much about the other virtual IP types past the manual and being a live system I don't have a chance to experiment. My question is - is there a way I can add the /30 onto the pfsense routers as a virtual IP and then route the /29 over that virtual IP?

      I'm trying to avoid the single point of failure of sticking another device in between the routers and the bearer.

      1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance
        last edited by

        I think you'd still need three addresses if you wanted both nodes to connect to the Internet for things like updates. See "IP Address Requirements for CARP" on page https://www.netgate.com/docs/pfsense/book/highavailability/index.html.

        If the ISP provides NAT also you can sometimes work with that. I have set up a Comcast setup where the the two routers have a private IP and the shared CARP IP is the WAN IP. But both private IPs can connect out because Comcast's modem/router by default also provides NAT to their 10.1.10.x subnet.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Tell the ISP you need to run VRRP so you need a /29 on the interface and the other /29 routed to that. They should understand. If not maybe it's not a good fit for you.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • C
            cwdolphin
            last edited by

            This is a UK ISP. They will not put /29 static routes on their edge equipment. That is not an option and I am aware that CARP will not work in this situation hence my question is asking about the alternative virtual IP setups.

            What interested me is the IP Alias alternative to CARP listed on this page: https://www.netgate.com/docs/pfsense/firewall/virtual-ip-address-feature-comparison.html

            It says it can be used by the firewall to bind/run services and it can be on a different subnet to the real interface IP.

            So to explain a bit better, I was wanting to leave the /29 and CARP set up as they are. Then I wanted to add an IP Alias with the /30 on it and the ISP default gateway. The /29 default gateway will be the /30 therefore routing all traffic correctly. As far as I can tell, this should work but I don't have the capability to test and I was hoping someone who knew pfsense better than I would be able to confirm if there are any problems with doing this before I go and break everything on a live circuit...

            Thanks,
            Colin.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.