CARP on LAN interface



  • We've got a single PFsense system right now set up as a filtered bridge between WAN and OPT1.  I was wondering if I could set the LAN interface as my sync interface in a CARP setup.  Is this possible?



  • CARP won't work with bridges. Or are you just planning to sync config settings over to another system without failoveroption?



  • We'd like it to be failover, when one goes down, the other takes over.  Is this something that is not possible?



  • Not with a bridge setup, sorry. You have to use routing with CARP.



  • Alright then…what's the simplest way to move from a filtered bridge to a routed setup?  The filtered bridge has worked really well for us so far, but if we have to move to a routed setup to get CARP support, I suppose that's what we've got to do.



  • Also - If we want to set up a routed platform, will we need to set up 1:1 nat's, etc?  We have a webhosting company, and all of the servers need to maintain their public IP's.  I'm not familiar with setting it up to use the LAN interface, and being able to keep the public IP's on the systems.

    I'm more than agreeable to moving to a routed platform if it allows us to impliment CARP (as that's the main feature that we've based our decision to move to PFSense, from m0n0wall for), but the routed configuration is foriegn enough to me that I need to be very cautious.



  • One other question - would it be possible to impliment CARP in a filtered bridge setup at some point in time?  We're not using two unique WAN connections, just simply planning on splitting our upstream connection into a switch, then having two PFSense systems plugged into it.  It seems as though it shouldn't be too difficult to have the OPT1 interface disabled on the secondary PFSense system until it senses on the CARP interface that the main system is down, then re-enables the OPT1 interface and takes over filtering duties.  Maybe I'm wrong, and there's something that's already been hashed over a million times that prevents this, but it seems like a pretty straight-forward implimentation.



  • See http://pfsense.com/mirror.php?section=tutorials/carp/carp-cluster-new.htm how to set up CARP.
    The difference for your setup only is that you add a CARP IP at WAN for every public IP of all your servers.
    Then move all your public servers to the LAN IP subnet.
    Add 1:1 NATs between the external CARP IPs and the internal LAN IPs of your servers.
    Add firewallrules to allow traffic to the internal IPs of your servers (NAT is applied before firewallrules are matched, just like for portforwards too)

    I'm not sure if it is possible in a later version to have CARP working with bridges. From what I have heard by now it's not possible due to the way CARP works atm. It's not a pfSense related limititation but someone might prove me wrong here.



  • So there is no way to leave the public IP's on the servers?  They must be changed over to Nat'd IP's?



  • Also, when you say the NAT is applied before the firewall rules, does that mean that I will need to modify my current firewall rules to get the same effect, or will my current rules be applied just as they are now?



  • Sorry to be such a bother about this, but I swear this is my last question (for now :)

    If I add our entire /24 (class C) as a CARP Virtual IP, does that take care of all of the IP's in the subnet, or do I need to still add each one individually?

    If I add the full /24, and I use one of the IP's (.253) as the WAN IP address, does that cause any problems with using the rest of the /24?  I'm guessing that since they're all set up on the WAN interface, it shouldn't be a problem, but I just want to check.



  • No, each CARP IP is one IP, no matter what subnetmask it has. The subnet just has to match the subnet of the interface physical interface the CARP IP is running on. However you can use 1:1 NAT with subnetranges to map several vips to several internal IPs after you have created your VIPs


Locked