CARP on WAN with 1 IP /DHCP + static MAC
This is my first post here on an old topic but I could not find a clear guide, so apologize if a repeat.
I am looking to setup two pfsense with HA/CARP, but with one WAN IP.
Both of the pfsense instances run on virtual machines and sometimes i want to shutdown one or the other for update without internet interruption (especially with working from home). My ISP has 1 IP(/32) on WAN, DHCP and looks for a specific MAC address. The lease is long and i have not seen this change for two years.
I read some old posts but it is unclear to me at this stage how to set it up.
Can you provide some guidance?
- what's best physical connection
- Folks suggest to assign two static/private IPs to the WAN interfaces on private subnets and then match the CARP VIP /Gateway to the ISP IPs and NAT everything through the CARP IP
- However in this case do i need to add an additional router in between modem/pfsense to get these IPs + assign DMZ to the CARP? Kind of negates the purpose.
- Or do only use a dumb switch in between? However not clear to me if the static private IPs would work with the CARP WAN IP in a different subnet. Also my ISP needs to see a specific MAC address. How would this be spoofed
- It seems DHSP is not possible on this CARP? is this correct?
Any recommendation is appreciated.
Currently i have the setup as CARPs on the LAN side (+ few private VLANs) , and I can plug the WAN cable manually to the modem when i need to. The system kind of works on the LAN side (i.e. when i shutdown one of the servers, the other picks up and the LAN is maintained so i am not locked out accessing the servers). I would like to extend this to the WAN side as well
Ok.. I was able to develop a very simple workaround, which works very well for my case. What i do is simply turn UP and DOWN the WLAN interface on LAN CARP event.
Below is what i did for the record:
- ISP: Xfinity, 1 IP only, DHSP looking for a specific MAC to provide leases to
- SW/HW: Two pfSense instances running on two virtual machines with different HW. One runs under Proxmox (Master), other in QNAP NAS Virtual station (Backup)
- Setup: Standard CARP on the LAN + 4 VLANs on LAN side. WAN does NOT have CARP . Both boxes are configured identical on the WAN side - standard configurations as with single box WAN - DHCP server, identical MACs, NO CARP . I have disabled the Gateway Monitoring on both. I also have the XML configuration synching ON , but do not sync the states, since different HW. I think the state syncing should work if HW identical as well.
- i use one single 48 UNIFI switch and have both LANs and WAN plugged into it. WAN is a VLAN only networks on 3 ports only (ISP modem + 2 pfsense boxes WANs). Other ports are "All but WAN" networks
So i use the CARP events on the LAN interface to turn ON and OFF the WLAN interface on both boxes as below
I added a single line at the end of "/etc/rc.carpbackup" file to turn the WAN off "shell_exec('/sbin/ifconfig em0 down 2>&1');" and a single at the beginning of "/etc/rc.carpmaster" to turn the WAN ON "shell_exec('/sbin/ifconfig em0 up 2>&1');"
So when the boxes receive a CARP event based on the LAN status, the WAN goes up and down in the respective boxes. So the Master BOX always have the WAN turned ON and the backup box have the WAN turned off. As far as the ISP provide is concerned, i always have one WAN interface with DHCP and single IP and same MAC address talking to them
I tested it and worked very well. Master-Backup transitioned happed back and forth within 1-2 seconds. I have about two dropped ping packets, my Life Meetings had 1s glitch or so. And i can shut down / upgrade / mess around with any of the systems without interrupting the internet. If i had identical HW perhaps the state sync would work as well (no idea though if WAN down interface would interfere with that)
Hope this helps
@kd It is possible to use private IPs for WAN if the ISP, like Comcast/Xfinity, provides NAT even when in "bridge" mode. We have a client set up this way. The 10.1.10.x subnet from Comcast allows both pfSense to access the Internet (e.g. for updates). The CARP IP then can switch between the routers. In our client's case the Comcast router has multiple LAN ports so is a switch.
In your workaround the same MAC address on WAN is important because in my experience Comcast in particular seems to "stick" to one MAC so replacing a router with the same IP usually requires waiting, or powering off/rebooting the Comcast router.
Yes.. the MAC was he issue. I could not obtain any IP if did not clone the MAC across the instances. I had to call them to setup the initial MAC (perhaps they rebooted the router on their end) , and then used that MAC for the second box as well
Also i use my own modem to avoid paying monthly "rental" fees :) , and that Netgear unit has only one interface. I need to check if it has any private range / NAT capabilities. Thanks for the tip
I would assume in any case i will not be able to do it since the MAC would not match
@kd Ah, I think using your own modem it is intended as a passthrough. Around here, business Comcast accounts provide the 10.1.10.x subnet and NAT. Useful for plugging in a laptop to bypass the client's router, to test.
My home modem is accessible at 192.168.100.1 but I don't think it provides NAT out. It doesn't have a "bridge mode" setting as it just passes the public IP through to my router or a laptop.