Carp IP on a /30 public ip: there must be a way to do it

mgiammarco

Hello,
My isp give me a /30 (so only one public ip usable) that I have on my wan ethernet.

I need to do active/passive with carp. It is obvious that I cannot do it on wan I cannot do it at all.

I have read some threads there someone says: tell your isp to give you /29. I cannot. I repeat: I cannot.

What can I try? Can the carp-ip be in a different subnet of the active/passive pfsense? Then how can I route?

Please help me. Thanks in advance for any reply!

Mario

banstyle

I believe you answered your own question:

Can the carp-ip be in a different subnet of the active/passive pfsense? Then how can I route?

You cannot.

My understanding of CARP/VIPs is that the IP addresses need to be in the same subnet so that they can take on the additional IP for that traffic. What you are looking for would be a layer-2 solution, where the ARP is proxied and moved supported by interfaces on both firewalls. In this case, pfSense does not do the job- CARP is fundamentally a layer-3 solution.

Sorry, but the answer is you need more IP addresses in your routable space. In other words, /29 is the minimum required for CARP.

Sorry!

cmb

@banstyle:

In other words, /29 is the minimum required for CARP.

Correct. It's just like other routing redundancy protocols, HSRP and VRRP are no different.

jimp

In the future, perhaps 2.2, when we have to deal with the new carp in FreeBSD 9.x this should be possible.

http://people.freebsd.org/~glebius/newcarp/README

DaS

@jimp:

In the future, perhaps 2.2, when we have to deal with the new carp in FreeBSD 9.x this should be possible.

http://people.freebsd.org/~glebius/newcarp/README

ahh, damn. i hoped this feature will be available with 2.1

i got a VIP/CARP running with only one IP in the public network. in my case this is a /29 subnet, but only one ip address was not in use.
this is a little "hack" / trick with one big disadvantage: your primary and secondary pfsense will not have direct internet access!

the interface is configured as /28, not as /29
just assign two ips out of the /28 network, which are not in the /29 network, to your physical adapters.
the carp ip is the only free ip of the /29 subnet

Client trafficis handled by a outbound nat rule over the CARP/VIP ip.
but as said before, the pfsense's itself have no internet access - because the two ips are not "allowed" in the subnet.

perhaps my setup is only possible, because my pfsenses are not directly attached to the internet, there's another device handling the public /29 network traffic.

btw: dns lookups are working on my pfsenses, because they use a dns server on the internal network. the internet request of the dns server are handled by the outbound nat rule…

carlsian

Set your interfaces and CARP up on internal addresses… then NAT the internal CARP vip to your public /30 address. Might take some tweaking but should be a workable solution.