Usable WAN CARP IPs (if any) for NAT, routing etc. to computers behind pfsense

  • so i am using 3 public IPs for the CARP setup… one shared IP and one for each WAN interface on the two pfsense boxes.  can any of those IPs also be used for NAT and other routing to my computers behind pfsense, or are they strickly already taken and i should start with my 4th public IP?  it seems i might be able to get away using the shared CARP VIP, but what do i know? (not much)  maybe i can use the other two also if i add them as CARP VIPs?  thanks

  • The IP addresses assigned to the physical interfaces cannot also be CARP IP addresses.  It is possible to use them for doing port forwards, although they would not have the same failover benefits as CARP VIPs.

    If you have additional IP addresses, those can also be used as CARP VIP addresses on this cluster.  Assuming your ISP gave you a /29, you could use the first two IPs as the real IPs for each WAN on your cluster, the third for your shared VIP and the other 3 as additional shared VIPs for additional web servers, mail servers or whatever you need.  This is obviously dependent on your actual setup.

  • thanks… so what purpose does the third IP serve?  why couldn't i also use it in the same way i might use the remaining three IPs mentioned in your example?

  • You can.  That shared IP becomes the source IP of any traffic egressing from your network and you're able to NAT traffic inbound on that interface.

Log in to reply