• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Do you need multiple public IP's for basic failover functionality?

Scheduled Pinned Locked Moved HA/CARP/VIPs
14 Posts 3 Posters 2.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    SteveITS Galactic Empire @Magoogle
    last edited by Jun 28, 2023, 8:32 PM

    @Magoogle Then you might be stuck. Unless you can try to emulate the NAT Comcast uses...something like:

    router-outside:

    • WAN = public IP subnet 1
    • LAN = public IP subnet 2
    • LAN alias = 10.0.0.1/24

    router1-client:

    • WAN = 10.0.0.2
    • WAN CARP alias = from public IP subnet 2
    • LAN CARP alias = 192.168.1.1
    • LAN = 192.168.1.2

    router2-client:

    • WAN = 10.0.0.3
    • WAN CARP alias = from public IP subnet 2
    • LAN CARP alias = 192.168.1.1
    • LAN = 192.168.1.3

    ...just thinking out loud.

    As noted in the doc page it can technically be done with router2 not having a working WAN but then to install anything on router2, or update router2, one has to fail over so router2 is live and then work on it.

    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
    Upvote 👍 helpful posts!

    M 1 Reply Last reply Jun 28, 2023, 10:36 PM Reply Quote 0
    • M
      Magoogle @SteveITS
      last edited by Jun 28, 2023, 10:36 PM

      @SteveITS

      So I made it work, at least on my bench.

      I used 10.0.0.1 for Primary WAN Interface, and 10.0.0.2 for Seconday WAN Interface with /30 subnet (This network goes no where)

      I created a "Public" CARP WAN IP for the actual WAN, in this test its 10.1.25.250 (because its behind another firewall on the bench)

      Setup my Sync interfaces, configured outbound nat to Hybrid and set it to use the CARP address as the NAT address.

      Running ping tests to the internet from an interface behind these 2 virtual firewalls, I only see 1 packet drop when I emulate a firewall failure, by "turning off the power" to the Hyper-v VM

      And powering it back up, it updates and takes over as Primary again without any issues. So It looks like this will do what I want without wasting public IP's. The only problem with this, is that the secondary firewall has no internet access of its own until it takes over as the Primary.

      I guess I could create another virtual interface to act as a secondary WAN to allow it to talk to the internet outside of the "public" facing network.

      S V 2 Replies Last reply Jun 28, 2023, 10:48 PM Reply Quote 0
      • S
        SteveITS Galactic Empire @Magoogle
        last edited by Jun 28, 2023, 10:48 PM

        @Magoogle said in Do you need multiple public IP's for basic failover functionality?:

        create another virtual interface to act as a secondary WAN to allow it to talk to the internet outside of the "public" facing network

        If you use a /29 instead of a /30, 10.0.0.3 goes on the router upstream from these two and hence is the gateway for 10.0.0.1 and 10.0.0.2. That gives those two Internet access over the NAT, or the shared/CARP IP.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        M 1 Reply Last reply Jun 29, 2023, 12:56 PM Reply Quote 0
        • M
          Magoogle @SteveITS
          last edited by Jun 29, 2023, 12:56 PM

          @SteveITS The router upstream doesnt exist in the datacenter. Just a fiber handoff with 2 blocks of IP's

          1 Reply Last reply Reply Quote 0
          • V
            viragomann @Magoogle
            last edited by Jun 29, 2023, 1:09 PM

            @Magoogle said in Do you need multiple public IP's for basic failover functionality?:

            The only problem with this, is that the secondary firewall has no internet access of its own until it takes over as the Primary.

            By creating a failover group with the WAN gateway and the LAN of the primary, the secondary can go out to the internet through the primary node if it's in backup state.

            You would have to configure the HA settings on the primary that this gets not overwritten.

            M 1 Reply Last reply Jun 29, 2023, 2:51 PM Reply Quote 0
            • M
              Magoogle @viragomann
              last edited by Jun 29, 2023, 2:51 PM

              @viragomann Where on the primary HA would that configuration be changed? I dont see in the offered selections to exclude that type of change?

              V 1 Reply Last reply Jun 29, 2023, 3:12 PM Reply Quote 0
              • V
                viragomann @Magoogle
                last edited by Jun 29, 2023, 3:12 PM

                @Magoogle
                You have to disable syncing of "Static Route configuration" in System > High Availability Sync.
                This of course means then, that you have configure all static route and gateway groups on the secondary as well.

                M 1 Reply Last reply Jun 29, 2023, 3:38 PM Reply Quote 0
                • M
                  Magoogle @viragomann
                  last edited by Jun 29, 2023, 3:38 PM

                  @viragomann I created a gateway group and a secondary gateway on the secondary firewall. I tried with WAN and the LAN as the interface and the IP's of the primary as the gateway. while the gateway shows online, the secondary is unable to ping out to the world.

                  V 1 Reply Last reply Jun 29, 2023, 3:46 PM Reply Quote 0
                  • V
                    viragomann @Magoogle
                    last edited by Jun 29, 2023, 3:46 PM

                    @Magoogle
                    On the secondary you need to add the primary's LAN address as a gateway in System > Routing > Gateways. I'll call it PrimLan

                    Then go to the gateway groups tab and add you new failover group:
                    WAN gateway > Tier1
                    PrimLan > Tier2

                    Got back to the gateway tab and state this group as default gateway.

                    Ensure that the monitoring is enabled on both gateways and that the WAN gateway state is offline, when the primary is the master.

                    M 1 Reply Last reply Jun 29, 2023, 3:48 PM Reply Quote 0
                    • M
                      Magoogle @viragomann
                      last edited by Jun 29, 2023, 3:48 PM

                      @viragomann Thats how I set it up. But when using the console for pfsense, it cant ping out even though the Tier2 gateway shows as online.

                      V 1 Reply Last reply Jun 29, 2023, 3:52 PM Reply Quote 0
                      • V
                        viragomann @Magoogle
                        last edited by Jun 29, 2023, 3:52 PM

                        @Magoogle
                        Check Status > Gateways.
                        Is the tier2 the default now?

                        1 Reply Last reply Reply Quote 0
                        • V viragomann referenced this topic on Jun 30, 2023, 9:30 AM
                        14 out of 14
                        • First post
                          14/14
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received