Static IPs and CARP related questions

  • I'm running pfSense 2.0 on an appliance I built. So far, no issues.  The set-up is for a very small business.

    I have Verizon FiOS with 5 static IPs.  My IP block is its own /29 subnet but the Verizon GW is in a /24 subnet.  The only way I've gotten multiple IPs to work so far (I've only used one of the extras) is to create a VIP group with CARP.  So my first question is: Is this really a routed subnet I just didn't figure out how to set up?  I'm thinking the router has to be in the same subnet.  If not, do I really need CARP here?  I also tried using Proxy ARP but couldn't get it to work.  I suspect that was just me not understanding something there.  Any guidance here appreciated.  I have the book as a reference.

    Second, to go to CARP failover do I then definitely need a routed subnet?  If not, can failover CARP coexist with my existing CARP VIPs?

    Lastly, if I get that far, I still have only 5 IPs.  I'd like to NAT the secondary router IP for secondary DNS.  Can the secondary be used like that?  I'm wondering if I also have to get a bigger block.  In a single router set-up I'd have a need for at least 3 of the 5 static IPs (maybe 4).  I'm wondering what the math is to extend that – I assume it's not always just doubling it since the secondary is usually not routing anything (only that secondary DNS if that sort of set-up is possible).

  • Some more details/ideas here after reading the book again:

    Since I don't appear to have a true routed subnet, it looks like I could connect a switch to the Verizon ONT.  Off that switch I'd see my 5 IPs (I believe I did test this back at install time).  I'd use 3 of those 5 for a CARP failover set-up.  If that's all true (I think it is), then my question is how I can use the other 2 IPs.  Without the switch I use CARP/VIPs to associate those other addresses to my primary IP.  It's not clear to me how that looks with a switch in between the two now.  Seems like I could either still do the CARP/VIP trick (switch has no effect other than splitting off the two IPs I need to separate for failover), or it seems like I might have to have pfSense see the split extra IPs as multiple WAN IPs (which I'd use without failover).  The problem with that second scenario would seem to be that I can no longer pool the extras for a set of NAT rules to fan them out to the DMZ behind pfSense – that if I split them either one pfSense box would get the extra two, or each pfSense box (primary, secondary) would get one of the two extras.

Log in to reply