Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense cluster with a routing /30 and a /28 subnet (both public)

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 2 Posters 846 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tsmalmbe
      last edited by tsmalmbe

      I have read through endless thread about the topic, but none seem to address my specific issue.

      I have a working pfSense cluster. I have a working internet connection. I have my /29 subnet working. The /29 is setups as CARP VIP's except for the 2 dedicated ip's I have assigned or the firewalls.

      The problem is the /30 -routing network. The /30 ip is setup as an alias ip on the shared CARP VIP that is used for outbound NAT. Setup in this way, means that only one of the firewalls at a time has internet connectivity. The passive one does not have a route to the internet.

      So, what is the right way to do this when
      a) there is a routing network /30 with one public ip
      b) there is another network with public ip's assigned to the firewalls and router thru the /30 by the ISP
      c) I wan to have network connectivity on BOTH firewalls, not only the currently active master.

      Security Consultant at Mint Security Ltd - www.mintsecurity.fi

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @tsmalmbe
        last edited by

        @tsmalmbe Your routers each need a public IP plus the CARP/shared IP. So the /29 could be used for that with another IP on the upstream router as your gateway.

        Technically it can be done with private IPs using NAT, with one shared IP. I’ve done that with Comcast since their router does NAT in bridge mode.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        T 1 Reply Last reply Reply Quote 0
        • T
          tsmalmbe @SteveITS
          last edited by tsmalmbe

          This is NOT the answer. This is the answer with ONE public ip, NOT for a situation with a PUBLIC /30 routing network and a PUBLIC /28 network routed. Maybe I was unclear, so I will try again.

          I have a /28 PUBLIC network with PUBLIC ip's assigned to both the firewalls. of course the CARP VIP is public as well. This is ROUTED thru a ROUTING network by my ISP - that network is a /30 and thus contains only ONE ip-address.

          So now I repeat the question:
          What is the right way to do this when
          a) there is a routing network /30 with one public ip
          b) there is another network with public ip's assigned to the firewalls and routed thru the /30 by the ISP
          c) I want to have network connectivity on BOTH firewalls, not only the currently active master.

          Things I have tried:

          • I make the /30 assigned single address as an alias ip to the PUBLIC CARP of the /28. This gives me a working /28 but only internet on ONE firewall
          • I make the /30 assigned single address as an alias ip on the WAN interface. This gives me internet on both firewalls but the /28 block stops working
          • I make the /30 assigned single address a proxy ARP on either or both of the firewalls - confusing results overall

          I also somewhat struggle to understand the results of my tests above.

          Security Consultant at Mint Security Ltd - www.mintsecurity.fi

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @tsmalmbe
            last edited by

            @tsmalmbe So the public IPs on WAN have no Internet access? That just seems a bit odd and hence my misunderstanding. In that situation if only the one IP has Internet, then there’s not a solution here. You’d have to enter maintenance mode on the primary to move the IP, to update the backup.

            Otherwise aliases can work fine if aliased to/on the shared IP, and the ISP/data center routes traffic to the shared IP.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.