Listening for different ranges of IPs

  • Hi All,

    I have been tasked with replacing our current ugly hack of a firewall solution with one based on pfSense.  I have two identical machines set up for the task each with two ethernet nics.  we currently have two external ip ranges forwarding to our firewall machine one in the xx.xx.110.16/29 and the other ip range xx.xx.110.32/28.  All the traffic for the xx.xx.110.32/28 traffic if forwarded to the xx.xx.110.20 address and the routed from there.  Due to the /29 we only have three ips in that range usable .20, .21 and .22 (21 and 22 are in use).

    my questions are:

    Can I have a Carp IP address to float between the two pfSense boxes on an interface with no additional IPs associated (the .20 address)?

    How should I set up the other external addresses so they can be nat'ed to our internal servers?

    I am reading the book and I am still confused on how to do it this.  Any help would be great.


  • Rebel Alliance Developer Netgate

    In order to do CARP, you would need to have three IPs in the xx.xx.110.16/29 subnet. One each for the two firewalls, and the shared CARP address.

    The CARP VIP must be in the same subnet as the WAN IPs of the firewall.

    As for the other subnet, xx.xx.110.16/29, as long as the IP they are routed to is your CARP VIP (.110.20) then failover would work fine. You just setup "other" type VIPs for the IPs in xx.xx.110.16/29 and then you can use them however you like for NAT (port forwards, 1:1, outbound NAT…)

  • thanks for your help.  Is it possible in the above setup to have one of the /29 traffic ips function in a  load balanced config (two web servers behind the the two pfSense boxes)?  I also had some issue during testing of the failover that I havent been able to trouble shoot.  it appears that the /29 addresses don't seem to follow the carp interface.  I was running a siege test against one of the /29 addressed IPs and I shut down load balancer 1 fully expecting LB2 to pick up the load but I ended up with socket timeouts and the interface disappearing. Any ideas?


  • Rebel Alliance Developer Netgate

    If the /29 is routed to your CARP VIP, and not the WAN IP, it should follow from one box to the other.

    I'm not sure about the load balancer, I thought that failed over as well but I haven't tried it myself.

Log in to reply