Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense HA cluster on Hetzner with routed /26 subnet

    HA/CARP/VIPs
    2
    3
    376
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      waltk
      last edited by waltk

      Hi,

      Our current setup in a colo DC:
      /29 subnet provided by DC for pfsense HA cluster – WAN side.

      pfsense then has three internal networks:

      • management (10.10.1.0/24)
      • private LAN (192.168.1.0/24)
      • public DMZ this is a public /26 subnet provided by the DC with next hop being the CARP WAN IP from the /29.

      We’re looking to move this setup to Hetzner – using their root servers, not cloud.

      I’ve read through their docs on vSwitches, Public Subnets, and Failover Subnets, but can’t figure out how to route a /26 subnet via a /29 subnet?

      Anyone doing anything similar, or even running an HA cluster on Hetzner without a secondary routed subnet?

      Thanks.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @waltk
        last edited by

        @waltk I may be confused but normally you need the data center to route the DMZ subnet to your (shared) WAN IP. They won't/can't give you three IPs for WAN?

        If not, an option might be to set the entire /26 up as IP aliases on WAN, and use 1:1 NAT.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        W 1 Reply Last reply Reply Quote 0
        • W
          waltk @SteveITS
          last edited by

          @SteveITS Thanks for replying. Hetzner got back to me and they can't route a subnet behind another subnet - only behind a single IP. So, I'll try setting this up a single CARP WAN IP and test. If not, 1:1 NAT would work as you suggested - but tbh, I'd prefer it without NAT.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.