Question about multiple WAN CARP VIPs
-
Dear Users,
I'm a newbie and I would like to ask you some information about the "multiple WAN CARP VIPs" usage.
I installed and configured pfsense in HA using CARP and it works as expected. From the WAN point of view, I have 3 IPs belonging to the same network: 1 ip for master psfense, 1 ip for slave pfsense and 1 ip for CARP (and I use this last IP to reach the FW and the services in the backend).
If I'm not wrong, I read somewhere that one or more virtual IPs (belonging to the same network) can bee added to the WAN CARP interface.
If my understanding is true, why it can be done? How the additional CARP IPs can be used? Could you please show me some particular use-case?What happens when two IPs belonging to the same network are added to the same CARP interface?
Thank you in advance
-
@mauro-tridici said in Question about multiple WAN CARP VIPs:
If my understanding is true, why it can be done? How the additional CARP IPs can be used? Could you please show me some particular use-case?
Even if you can add multiple CARPVIPs to the same interface, it's recommended to rather use "IP alias" virtual IPs for the additionals. You can hook them up on the CARP VIP, so they are taken over to the other node in case of a failover.
CARP VIPs produces some additional noise on the network.You need multiple public IPs for instance if you run multiple web server behind pfSense or even any other services which need to use the same port on the public IP.
But should be mentioned at this point, that these can also be achieved with HAproxy on pfSense. -
@mauro-tridici said in Question about multiple WAN CARP VIPs:
1 ip for CARP (and I use this last IP to reach the FW and the services in the backend)
In regards to logging in to pfSense on a CARP IP just be careful as to which router you're connecting to. If the primary fails you may end up connecting to the backup via the shared IP.
We have a client using multiple CARP WAN IPs for Exchange and a web server.
-
@viragomann, @SteveITS, many thanks for your help. I really appreciated it.
So, if I understand your messages correctly, I can add additional public virtual IPs as "IP alias" on top of existing CARP VIP (even if is the usage of HAproxy is a better solution) ?
Let's do an example of the final scenario I'm thinking about:WAN IP1 is the IP assigned to the pfsense instance #1
WAN IP2 is the IP assigned to the pfsense instance #2
WAN IP3 is the IP assigned to the CARP VIP for Ha needsWAN IP4, IP5 and IP6 are the additional IPs assigned as "IP alias" to the CARP VIP for different use-cases.
Could you please confirm that the assignment of multiple WAN IPs addresses (x.x.x.1,x.x.x.2,x.x.x.3,x.x.x.4,x.x.x.5,x.x.x.6) belonging to the same subnet will be not a problem?
Thank you in advance,
Mauro -
@mauro-tridici said in Question about multiple WAN CARP VIPs:
So, if I understand your messages correctly, I can add additional public virtual IPs as "IP alias" on top of existing CARP VIP
Yes. At interface select the CARP VIP from the drop-down.
even if is the usage of HAproxy is a better solution
What does this mean?
Could you please confirm that the assignment of multiple WAN IPs addresses (x.x.x.1,x.x.x.2,x.x.x.3,x.x.x.4,x.x.x.5,x.x.x.6) belonging to the same subnet will be not a problem?
All right.
Refer to the docs: Virtual IP Address Feature Comparison
Remember that you have to configure the outbound NAT manually to use the CARP VIP instead of the primary interface IP.