Transparent Filtering Bridge + CARP/pfsync for HA?

  • I have been running pfsense 2.3.4 as a Transparent Filtering Bridge with my /24 range of public IPs for a number of years now. The hardware I was using died so now its time for an upgrade.

    I am considering running 2 identical pieces of hardware and I have read about CARP/pfsync for HA setups. All the documentation I find seems to refer to using different subnets in private ranges which I do not have the option to do. All of the servers behind the firewall have static public IP addresses (no DHCP and no NAT) all in the same subnet. I have a separate backend network connected to each server using static private IPs with no internet access (no gatway, no router, no DHCP). I also had a 3rd interface set up in pfsense with a backend IP for management gui access only.

    Is it possible to run 2 Transparent Filtering Bridge setups in an HA (failover) configuration (via CARP/pfsync) in a single subnet?

    Each machine would have a dedicated nic for WAN, nic for LAN, nic for the private backend (management), and a nic for pfsync (4 NICs per machine).

    Is this feasible and if so is it a reliable setup? I don't want to spend any more time on it if it isn't.


  • LAYER 8 Netgate

    It is possible but you must use things like Spanning Tree to prevent loops. HA + Bridging is not a recommended configuration.

    Much better is to have your ISP issue you a small WAN interface network (/29) and route the subnet to that.

    Then you can put the public subnet on an inside interface, eliminate all bridging and NAT, and your network will just make money while you sip margaritas by the pool.

Log in to reply