Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP VIPs or Other

    Scheduled Pinned Locked Moved
    General pfSense Questions
    3
    6
    57
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jms123
      last edited by

      I am setting up a HA pair of pfSense firewalls (2.7.2) for a customer. The servers on the LAN side will use private addressing and we will use public IPs and 1 to 1 NAT for them.

      The firewalls will connect to a pair of L3 switches on the WAN side.

      They need approx 40 public IPs so I can do this one of two ways -

      1. use a /26 for the WAN side and use IPs from that subnet on the physical WAN interfaces + the CARP VIP and then create CARP VIPs for each 1 to 1 NAT that is needed.

      So when traffic gets the L3 switches from the internet they will arp for each CARP VIP and the firewall will respond.

      1. use a /29 on the WAN side for the physical IPs and the CARP VIP. Then assign a /27 and a /29 to them and add routes on the L3 switches for these subnets pointing to the CARP WAN VIP.

      The VIPs for the 1 to 1 NATs would be Other type VIPs .

      I know both of the above work as I have used both but was just wondering what the pros and cons are for each of the above.

      1. is probably simpler to setup but it does mean there will be approx 40 CARP VIPs on the WAN side of the firewalls - is there any downside to this ?

      Also there is no flexibility in terms of the subnet ie. if the client suddenly decided they only needed 30 IPs we would need to redo the subnet mask etc. on the physical NICs etc.

      1. the main benefit here seems to be flexibility ie. if the client changed the number of IPs they needed we could just update the routes, no need to physically change the address details on the firewalls.

      Would be interested to hear any opinions

      Thanks

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @jms123
        last edited by

        @jms123
        You need at least a /29 for the WAN Interface IPs of both amd the CARP VIP. All additional IPs can be routed to the CARP VIP then.
        In this case no further IP needs to be assigned. You can directky forward them with 1:1 NAT.

        If routing is not an option you have ti assign each additional IP as proxy ARP or IP Alias hooking up on the CARP VIP.
        Don"t add CARP VIP for each! Each one produces additional traffic on the Interface.

        J 1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Yup that^. Use IPAlias VIPs on the main CARP VIP instead of multiple CARP VIPs. Reduces CARP traffic and the numerous scripts that get run for each VIP state change.

          J 1 Reply Last reply Reply Quote 0
          • J
            jms123 @viragomann
            last edited by

            @viragomann - thanks for the response. I am leaning towards the routing setup as have used many times before and it works well.

            1 Reply Last reply Reply Quote 0
            • J
              jms123 @stephenw10
              last edited by

              @stephenw10 - thanks for the response. I might test out IPAlias as never used before but the routing and Other VIP gives us more flexibility in terms of addressing I think

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @jms123
                last edited by

                @jms123
                See Virtual IP Address Feature Comparison in the docs to learn about the differences of the virtual IP types.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.