Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HA CARP VIPs for 1:1 NAT?

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    3 Posts 2 Posters 155 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rfranzke
      last edited by rfranzke

      Hello all. Very new to PFSense so this will likely be a pretty basic question here, but I cannot find a definitive answer so thought I would post this up.

      I am lucky enough with my setup to have been grandfathered in with a public /24 subnet from my ISP/Colo facility. As such, what I typically do for services I offer the world is use 1:1 NAT for each service I want to expose to the Internet.

      I am setting up a new HA pair of PFSense devices, moving away from an overly expensive Cisco FTD setup. I have all the typical CARP/Sync bits working for PFSense in my lab. I had originally set up a PFSense configuration without the HA part but have added that into the configuration. Before HA, I set up Proxy ARP VIPs for all the 1:1 NAT configurations. That seemed to work fine.

      My question here is do I need to do CARP VIPs for each 1:1 NAT public IP I configured on here, or can I simply keep the proxy ARP VIPs I set up. I think I need a CARP VIP for each to facilitate failover and draw traffic to the current CARP master FW as well as avoid ARP conflicts with the backup PFense box. Just need some confirmation here.

      So I am clear to illustrate what I mean, let's say I have a NAT rule that translates a public IP of 172.16.0.55 to and internal IP of 10.10.10.55. Without HA, to get this to work I would create a proxy arp VIP of 172.16.0.55 on the WAN interface to draw traffic to that IP on the WAN. Now with HA, I don't need that proxy arp bit as the CARP IP will arp for itself on the WAN link depending on which HA device is master for the 172.16.0.55 IP at the time.

      Pretty sure I have this right but being new to PFSense I wanted to make sure. Thanks in advance for helping this PFSense noob.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @rfranzke
        last edited by

        @rfranzke we’ve set it up using the public IPs on LAN but not aliases like that. Just on non HA. You might scan this: https://docs.netgate.com/pfsense/en/latest/highavailability/reduce-heartbeat-traffic.html

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        R 1 Reply Last reply Reply Quote 0
        • R
          rfranzke @SteveITS
          last edited by

          @SteveITS Thanks for the link. I had not considered the VIP stacking idea. I'm not sure how much of an issue my setup will have with VIP multicast traffic on my WAN link but good to know this technique is available to reduce some of that. Again, thanks for the link.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.