Virtual IPs for compatibility with ISP

cwdolphin · Jan 15, 2019, 8:59 AM

Hi folks,

I'm doing a new line setup for a company that has a dual pfsense system currently set up with a /29 WAN using CARP. Each router has one IP and then there is a CARP VIP which traffic is routed over. This allows the routers and NAT devices to access the Internet.

In comes a new provider. They won't provide a direct /29. Instead they provide a /30 and the /29 is routed via the /30. That blows my CARP setup out of the water as there is only one WAN address now.

I don't know much about the other virtual IP types past the manual and being a live system I don't have a chance to experiment. My question is - is there a way I can add the /30 onto the pfsense routers as a virtual IP and then route the /29 over that virtual IP?

I'm trying to avoid the single point of failure of sticking another device in between the routers and the bearer.

SteveITS · Jan 15, 2019, 5:55 PM

I think you'd still need three addresses if you wanted both nodes to connect to the Internet for things like updates. See "IP Address Requirements for CARP" on page https://www.netgate.com/docs/pfsense/book/highavailability/index.html.

If the ISP provides NAT also you can sometimes work with that. I have set up a Comcast setup where the the two routers have a private IP and the shared CARP IP is the WAN IP. But both private IPs can connect out because Comcast's modem/router by default also provides NAT to their 10.1.10.x subnet.

Derelict · Jan 15, 2019, 10:45 PM

Tell the ISP you need to run VRRP so you need a /29 on the interface and the other /29 routed to that. They should understand. If not maybe it's not a good fit for you.

cwdolphin · Jan 16, 2019, 8:49 AM

This is a UK ISP. They will not put /29 static routes on their edge equipment. That is not an option and I am aware that CARP will not work in this situation hence my question is asking about the alternative virtual IP setups.

What interested me is the IP Alias alternative to CARP listed on this page: https://www.netgate.com/docs/pfsense/firewall/virtual-ip-address-feature-comparison.html

It says it can be used by the firewall to bind/run services and it can be on a different subnet to the real interface IP.

So to explain a bit better, I was wanting to leave the /29 and CARP set up as they are. Then I wanted to add an IP Alias with the /30 on it and the ISP default gateway. The /29 default gateway will be the /30 therefore routing all traffic correctly. As far as I can tell, this should work but I don't have the capability to test and I was hoping someone who knew pfsense better than I would be able to confirm if there are any problems with doing this before I go and break everything on a live circuit...

Thanks,
Colin.