Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP with /31 and /29 WAN Address Blocks

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    14 Posts 4 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate @Mitchell 0
      last edited by

      @mitchell-0 Tell your ISP you need three /29s. One for each WAN and one routed so you can run High Availability routers.

      They should understand (though they might charge a little more.)

      /31s are great when they are sufficient. In your case they are not.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      M 1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate @Mitchell 0
        last edited by

        @mitchell-0 said in CARP with /31 and /29 WAN Address Blocks:

        Is there likely to be any problems associated with using addresses within the /29 blocks against the secondary WAN interfaces and for CARP VIPs?

        Yes. The /29s will be routed to the /31 addresses on the other node.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M
          Mitchell 0 @Derelict
          last edited by

          @derelict Thanks, I'll look at contacting them today and explain the situation. We also have another site with the same configuration (Same ISP) so I suppose it will ultimately depend if they are willing to hand out that many addresses between 4 connections in total.

          I know from previously we did have to fill out the required RIPE forms just to get the additional /29 blocks at the side of the /31 and going for anything larger had to be justified. I suppose it is understandable given the state of IPv4 addresses.

          I wasn't sure if we could use a workaround in the event they cannot offer up the additional address blocks, although I suspect this would likely require a router or Layer 3 switch to sit behind both firewalls and using NAT with private addressing on the WAN interfaces. Not something I'm a fan of doing as it just adds a whole other area of complexity.

          DerelictD 1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate @Mitchell 0
            last edited by

            @mitchell-0 High Availability on the interfaces should be enough justification for /29s on the interfaces.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            M 1 Reply Last reply Reply Quote 0
            • M
              Mitchell 0 @Derelict
              last edited by

              @derelict I have sent our requirements to our ISP and they seem happy to have a look at this for us.

              Many thanks.

              M 1 Reply Last reply Reply Quote 0
              • M
                misterto @Mitchell 0
                last edited by

                @mitchell-0 said in CARP with /31 and /29 WAN Address Blocks:

                t our requirements to our ISP and they seem happy to have a look at this for us.
                Many thanks.

                I guess you have Top Of Rack switches ? Right ?
                Does you ISP use BGP ? If yes, i guess the /31 are 198. something. In that case, it's used for ISP BGP AS connection. Then, you could do a VRRP or HSRP with your /29 and add this /29 in the addressed network to your ISP.

                The idea is that pfsenses @ the end doesn't know your /31. /31 are just used for BGP sessions.

                You TOR need to be L3 tor of course.

                I could give you more info if you need.

                M 1 Reply Last reply Reply Quote 0
                • M
                  Mitchell 0 @misterto
                  last edited by

                  @misterto We do have two Layer 3 Top of Rack switches that act as our collapsed core. These are Dell S4128F models configured with VLT and peer-routing for our internal VLANs. We aren't using any dynamic routing protocols at the moment just static routes present on pfSense for the VLAN subnets on the switches.

                  The /31s are 185. addresses.

                  I have been caught up with other projects recently so just waiting to hear back from our ISP. We have requested the /31 subnets on each WAN connection be changed to /29s and we will keep the existing routed /29 blocks that they have supplied us.

                  Many thanks.

                  1 Reply Last reply Reply Quote 0
                  • M
                    Mitchell 0
                    last edited by

                    Hi all,

                    Bumping this thread as we have finally gotten the IP subnet requirements from our ISP and just wanted to double check before we go ahead with the firewall configurations. Apologies as this had taken longer than we initially expected due to a lot of back and forth.

                    Our ISP has converted our existing WANs from /31s to /29s and have also retained our existing routed /29 subnets that were already in place, effectively giving us two /29s per physical WAN.

                    As the WAN subnets are in a different IP range from the additional routed /29 subnets what is the best way to add the additional address from the routed subnets to allow these to sync between firewalls without causing an IP conflict?

                    I’ve read about adding these as additional IP Aliases with the interface being the CARP VIP, however I was under the impression that this would only work if the addresses were in the same subnet as the CARP VIP?

                    Each WAN subnets addressing will cover each firewalls WAN1 and WAN2 interfaces plus shared CARP VIPs for outbound NAT while the addresses from additional routed /29 subnets will be used for external services (Web Servers, VDI access etc)

                    Many thanks.

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      misterto @Mitchell 0
                      last edited by

                      @mitchell-0 said in CARP with /31 and /29 WAN Address Blocks:

                      Each WAN subnets addressin

                      Hi.

                      Do you have schema ?

                      M 1 Reply Last reply Reply Quote 0
                      • M
                        Mitchell 0 @misterto
                        last edited by Mitchell 0

                        @misterto

                        WAN 1:

                        WAN Subnet: 161.12.60.232/29
                        ISP Gateway: 161.12.60.233
                        Routed Subnet: 161.12.51.32/29
                        Shared CARP VIP: 161.12.60.236

                        WAN 2:

                        WAN Subnet: 161.12.60.240/29
                        ISP Gateway: 161.12.60.241
                        Routed Subnet: 161.12.51.40/29
                        Shared CARP VIP: 161.12.60.244

                        Firewall 1:

                        WAN 1 Interface: 161.12.60.234
                        WAN 2 Interface: 161.12.60.242

                        Firewall 2:

                        WAN 1 Interface: 161.12.60.235
                        WAN 2 Interface: 161.12.60.243

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.