HA Setup with 1 WAN IP and port forward to FTP Server [SOLVED]



  • Hello to everyone,

    I have managed to setup CARB on Sync interface and also on 2 LAN networks with Virtual IP's and DHCP Service etc.

    My issue is on WAN side, i have an FTP Server on a single public IP, port forwarding to one of my LANs, having the 2nd LAN isolated and safe from outside. (Not VLAN, 2 different physical interfaces going to 2 different switches), and all the clients know this single public IP.

    Is it possible to make HA setup using 2 pfSense box on a single WAN IP ? I have /29 from my ISP, but this seems to not help. 1 test i already made is setting the WAN IP on both pfSense boxes, but there is a conflict between them because both boxes are trying to get the same public IP, causing the gateway to not responding on the master, even if the backup box is on backup mode. Can't set the second public IP on WAN available from my ISP, because of the FTP Server already running with several clients sending to the known public IP as of today.

    If there is no high availability solution for a single WAN IP, then there is no need for me to setup high availability, and the best thing to do is to have second pfSense box available with imported settings from the main unit. And if something happen i will do the change over manually.

    What are your recommendations ? Is there anything else i can do ? Is there any way to HA from single WAN IP ?
    Thank you.



  • Don't take it as a recommendation, however, it should be possible to assing private IP addresses to both WANs within the same subnet. To do so, so will have to remove the WAN gateway first. After assigning the CARP VIP you can add the gateway again.

    Consequently the backup box will have no internet connection, cause the WAN VIP is occupied by the master. To get internet access on the second box you can do a workaround with a gateway group, where you include the WAN gateway and the LAN IP of the master and use it as default gateway.



  • Hello @viragomann ,
    let's try something more specific, i'm willing to do the test because i have 2 same hardware for this test.

    my WAN is 90.132.218.33 (gateway)
    Is /29 so i can get Public ip's from 34 to 38 according my ISP documentation.
    The FTP Server is setup on the 35 - so all the clients are configured for 90.132.218.35.

    As i understand according your explanation, i have to remove the gateway and set the WAN interface to Private IP's, for example 192.168.10.2 and 3, with the Virtual IP Address will be 90.132.218.35. Then add the gateway 90.132.218.33 back together with the private IP ?? . usually this will give error: : address not in the same range" .

    Thanks for feedback.



  • First you have to add the CARP VIP to WAN with the correct subnet mask (/29), then you should be able to add the WAN gateway in System > Routing > gateways and set it as default.



  • no success.

    1. any ip out of range of ISP, not working
    2. any virtual ip on the ISP range, conflicts with the real gateway


  • @viragomann said in HA Setup with 1 WAN IP and port forward to FTP Server:

    Don't take it as a recommendation, however, it should be possible to assing private IP addresses to both WANs within the same subnet. To do so, so will have to remove the WAN gateway first. After assigning the CARP VIP you can add the gateway again.

    Consequently the backup box will have no internet connection, cause the WAN VIP is occupied by the master. To get internet access on the second box you can do a workaround with a gateway group, where you include the WAN gateway and the LAN IP of the master and use it as default gateway.

    I have tried a lot of things. My outcome is that we need at least 3 real IP's on the WAN interface to make high availability cluster, so this means at least /29 network from ISP.
    The IP we need to have as main WAN ip, must be the virtual one, the firewalls must have in the same range 2 different IP's. All the rules have to be done using the CARB virtual WAN.

    I followed mostly this tutorial https://www.youtube.com/watch?v=-1Og5ogkyZY&t=474s

    Thanks anyway for the help.



  • I've done a CARP cluster with a single public, searching will turn up more details. I haven't had any luck getting the backup unit accessible from the Internet without failing over the primary, so it's not a great solution, but it is doable.


  • LAYER 8 Rebel Alliance


  • LAYER 8 Netgate

    @dotdash said in HA Setup with 1 WAN IP and port forward to FTP Server:

    I've done a CARP cluster with a single public, searching will turn up more details. I haven't had any luck getting the backup unit accessible from the Internet without failing over the primary, so it's not a great solution, but it is doable.

    That is because the only public IP address is the CARP VIP which is only reachable on the node that is currently CARP MASTER.

    This is not a supported configuration.

    If it is worth HA it is worth designing correctly.

    https://docs.netgate.com/pfsense/en/latest/book/highavailability/index.html#ip-address-requirements-for-carp



  • admin please close this thread.

    minimum 3 IP's for CARB.

    Thanks everyone for support.


Log in to reply