PFSense HA question about public IPs
-
I have got two questions about running PFSense (virtual) in HA mode.
Among other links i checked out this one:
https://m.youtube.com/watch?v=-1Og5ogkyZYI have got two locations with different setups. I would like to have PFsense with two HA nodes on both. Locations has got nothing to do with each other i just want to setup HA on both locations.
My questions are about the public IP's.
-
Location one had got fiber connection with a /29 IP block. Do the public IP's needed for HA need to be unused? I use all the public IP's (NAT rules). So i don't have unused public IP addresses.
-
Location two has got one WAN IP but i got a GRE tunnel which gives me a /29 IP block. Can i use the IP's i got from the GRE tunnel for HA? Also all the IP addresses are used.
-
-
@operations said in PFSense HA question about public IPs:
I have got two questions about running PFSense (virtual) in HA mode.
Among other links i checked out this one:
https://m.youtube.com/watch?v=-1Og5ogkyZYI have got two locations with different setups. I would like to have PFsense with two HA nodes on both. Locations has got nothing to do with each other i just want to setup HA on both locations.
My questions are about the public IP's.
- Location one had got fiber connection with a /29 IP block. Do the public IP's needed for HA need to be unused? I use all the public IP's (NAT rules). So i don't have unused public IP addresses.
No, the CARP address can and should be used for the port forwards, outbound NAT, etc. The interface addresses can be used but it is of limited utility. For instance it is common to open a rule to the webgui on both WAN interface adddresses so you can failover and maintain solid contact with both nodes.
- Location two has got one WAN IP but i got a GRE tunnel which gives me a /29 IP block. Can i use the IP's i got from the GRE tunnel for HA? Also all the IP addresses are used.
That is less clear. Which node is the GRE tunnel active on? The main problem is the backup node (usually the secondary node) needs internet access all the time for updates, DNS resolution, etc.
If the GRE is on a router in front of the HA pair it could work. If it is active on the primary node or something like that, probably not.
-
@derelict said in PFSense HA question about public IPs:
@operations said in PFSense HA question about public IPs:
I have got two questions about running PFSense (virtual) in HA mode.
Among other links i checked out this one:
https://m.youtube.com/watch?v=-1Og5ogkyZYI have got two locations with different setups. I would like to have PFsense with two HA nodes on both. Locations has got nothing to do with each other i just want to setup HA on both locations.
My questions are about the public IP's.
- Location one had got fiber connection with a /29 IP block. Do the public IP's needed for HA need to be unused? I use all the public IP's (NAT rules). So i don't have unused public IP addresses.
No, the CARP address can and should be used for the port forwards, outbound NAT, etc. The interface addresses can be used but it is of limited utility. For instance it is common to open a rule to the webgui on both WAN interface adddresses so you can failover and maintain solid contact with both nodes.
- Location two has got one WAN IP but i got a GRE tunnel which gives me a /29 IP block. Can i use the IP's i got from the GRE tunnel for HA? Also all the IP addresses are used.
That is less clear. Which node is the GRE tunnel active on? The main problem is the backup node (usually the secondary node) needs internet access all the time for updates, DNS resolution, etc.
If the GRE is on a router in front of the HA pair it could work. If it is active on the primary node or something like that, probably not.
What is the difference between CARP and interface addresses?
Looking at this situation, i have got .153
Till .159.I should just follow the HowTo video and pick 3 numbers between 153 and 159? :)
The other location, no there is no router in front of PFSense. The current single installation/node handles the GRE tunnel. So this is most likely not possible right?
-
-
Thanks again.
I read a bit more and i am wondering if it is possible at the location at all...
I will tell you why, it is a fiber 500/50 connection. It is setup by a PPPoE (DHCP) connection. Which gives me one public IP.I have also setup a extra interface with a static IP (.153) and added 5 virtual IPs. (.154 till 159). I have got an 0.0.0.152/29 subnet.
I have tested trying to run the PPPoE connection twice, this doesn't work.
Am i right ro assume that it is not possible then?
-
@operations HA on dynamic WANs (DHCP, PPPoE) is generally unsupported.