pfSense High Availability exapand existing firewall with multi wan and multi ip

  • LAYER 8

    I'm trying to help a guy on the Italian forum
    is it possible to expand this configuration to use pfSense High Availability with carp? if so it's not clear how to configure the wan side as all the example / docs and #hangout on the net talk about a single static IP per wan
    this is the actual situation:
    there are services that are available only on a specific IP like email server and web server
    as it is now all IP's are configured as "IP alias" directly on pfsense, both modem are in bridge
    isp 1 have 32 public ip
    isp 2 have 16 public ip

    1603227040320-multiwan-on-pfsense-23-pfsense-hangout-march-2016-11-638.jpg


  • @kiokoman said in pfSense High Availability exapand existing firewall with multi wan and multi ip:

    is it possible to expand this configuration to use pfSense High Availability with carp? if so it's not clear how to configure the wan side as all the example / docs and #hangout on the net talk about a single static IP per wan

    There is nothing special with that. If you know how to setup HA it's simply the combination with Multi-WAN.
    Get a switch (or two to have WAN redundancy) to connect the WANs to both boxes.

    @kiokoman said in pfSense High Availability exapand existing firewall with multi wan and multi ip:

    there are services that are available only on a specific IP like email server and web server
    as it is now all IP's are configured as "IP alias" directly on pfsense

    It's the same with HA, apart the IP aliases are hooking up on the WAN VIPs instead of WAN address.

    The Outbound NAT for local networks (not the firewall itself) has to be reconfigured to use the WAN VIPs or whatever IP alias you want.

  • LAYER 8

    what i don't understand is.. we need one carp address for each public ip ? bc i don't understand how i can nat 40+ public ip if i have only one carp address


  • @kiokoman said in pfSense High Availability exapand existing firewall with multi wan and multi ip:

    what i don't understand is.. we need one carp address for each public ip ?

    Maybe you've read that in a very old tutorial.

    Tody both master and slave should have a public IP and a third IP is needed as CARP. The CARP address can be used for services on or behind pfSense.
    All other public IPs you can add as IP alias as you did in the single installation, hooking up on the WAN CARP IPs (WAN1, WAN2) instead of the WAN IPs.

  • LAYER 8

    thank you very much, it's more clear now 👍