Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HA with Public IPs from different subnets

    HA/CARP/VIPs
    3
    7
    784
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      UserCo
      last edited by

      Hello,

      I have the following issues:

      1. I would like to have a HA setup for pfSense, but cannot get a pool of /29 Public IPs from my provider. therefore I was asking myself I I could setup HA 2 Public IPs in different subnets and still do the failover part on the LAN side like documented. As far as I understand this, this should still failover to the second Firewall incase of an outage and then route the traffic out to the second public IP. which would mean that all states are lost but that should only be a few seconds of outages for the clients as the states are quickly rebuilding on the second Public IP. Is this correct or am I missing something.

      2. I would also like to have Multi WAN running on both of the instances so in case that one Internet Line (not pfSensebox) fails all traffic gets routed out the secondary wan link. would this setup interfere with the HA in any part?

      3. I would like to Run LAG interfaces to the LAN part of both pfSenseBoxes on which there are Vlans configured (using the pfSense as Router on a stick). Does this also work with the HA setup?

      Any help is appreciated.

      Thanks

      V S 2 Replies Last reply Reply Quote 0
      • V
        viragomann @UserCo
        last edited by

        @UserCo said in HA with Public IPs from different subnets:

        I would like to have a HA setup for pfSense, but cannot get a pool of /29 Public IPs from my provider. therefore I was asking myself I I could setup HA 2 Public IPs in different subnets and still do the failover part on the LAN side like documented.

        I guess, you mean with different upstream lines? This should be possible anyhow. But why will you do this?

        I would rather configure all interfaces in HA mode, however use private address spaces for the WAN.
        This has some drawbacks though, but it's more reliable than different WAN upstream connections.

        I would also like to have Multi WAN running on both of the instances so in case that one Internet Line (not pfSensebox) fails all traffic gets routed out the secondary wan link. would this setup interfere with the HA in any part?

        No.
        So you have a router in front of pfSense on one WAN, but the other one gets a public IP?

        I would like to Run LAG interfaces to the LAN part of both pfSenseBoxes on which there are Vlans configured (using the pfSense as Router on a stick). Does this also work with the HA setup?

        Yes.
        You have configure the LAGG on the network ports, then assign an interface to it with an IP. Same on the secondary node with a different IP. Then assign the CARP VIP on the primary to this interface.

        1 Reply Last reply Reply Quote 1
        • S
          SteveITS Galactic Empire @UserCo
          last edited by

          @UserCo Who is your ISP? Specifically for Comcast here, their router provides NAT even in bridged mode. So we have set up:

          router1 - 10.1.10.11
          router2 - 10.1.10.12
          shared IP - single public IP

          This way both routers can access Internet and the one public IP is shared.

          re: multiple WAN, it can be done with HA but needs multiple sets of IPs:
          https://docs.netgate.com/pfsense/en/latest/recipes/high-availability-multi-wan.html

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          1 Reply Last reply Reply Quote 0
          • U
            UserCo
            last edited by

            I guess, you mean with different upstream lines? This should be possible anyhow. But why will you do this?

            I would rather configure all interfaces in HA mode, however use private address spaces for the WAN.
            This has some drawbacks though, but it's more reliable than different WAN upstream connections.

            Thanks for the answers. How would I use the private Address space on the WAN side. I have only read that that could be possible but newer seen it. What's wrong with the different WAN upstream connections other than in case of a hardware failure on the master pfsSense the state tables on the secondary would need to be rebuild?

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @UserCo
              last edited by

              @UserCo said in HA with Public IPs from different subnets:

              What's wrong with the different WAN upstream connections other than in case of a hardware failure on the master pfsSense the state tables on the secondary would need to be rebuild?

              As I got it, you intend to connect the primary node to the one WAN line and the secondary to the other. So if the one on the primary goes down the LAN CARP won't automatically failover to the secondary because the primary is still healthy. You would have to pull the LAN plug in this case.

              U 1 Reply Last reply Reply Quote 0
              • U
                UserCo @viragomann
                last edited by

                @viragomann yes exactly. Another question as I now just received the info that I might be able to get 3 public IP addresses in the same public subnet from my provider. How would I want to have them get to the WAN interface on my pfSense. right now I use PPPoE but I am wondering how I would get one IP each to each of the WANs and the 3rd one as the carp. would I need a WAN switch and then use static IP addressing for each WAN on the pfSense and then select the public Gateways of my provider as Gateway for my WANs? And what would I need to tell my provider on how they need to setup their device?

                Thanks

                V 1 Reply Last reply Reply Quote 0
                • V
                  viragomann @UserCo
                  last edited by

                  @UserCo
                  How will you get the public IPs?

                  CARP is basically only supported with static interface IPs. I don't think, the provider will give you multiple PPPoE IPs.
                  And yes, if both come over a single cable you need a switch in front of the pfSense boxes.

                  There are some threads in the forum discussing "PPPoE as CARP VIP" though. You can use the search, maybe there are possibilities. I don't know.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.