Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Carp IP on a /30 public ip: there must be a way to do it

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    6 Posts 6 Posters 5.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mgiammarco
      last edited by

      Hello,
      My isp give me a /30 (so only one public ip usable) that I have on my wan ethernet.

      I need to do active/passive with carp. It is obvious that I cannot do it on wan I cannot do it at all.

      I have read some threads there someone says: tell your isp to give you /29. I cannot. I repeat: I cannot.

      What can I try? Can the carp-ip be in a different subnet of the active/passive pfsense? Then how can I route?

      Please help me. Thanks in advance for any reply!

      Mario

      1 Reply Last reply Reply Quote 0
      • B
        banstyle
        last edited by

        I believe you answered your own question:

        Can the carp-ip be in a different subnet of the active/passive pfsense? Then how can I route?

        You cannot.

        My understanding of CARP/VIPs is that the IP addresses need to be in the same subnet so that they can take on the additional IP for that traffic. What you are looking for would be a layer-2 solution, where the ARP is proxied and moved supported by interfaces on both firewalls. In this case, pfSense does not do the job- CARP is fundamentally a layer-3 solution.

        Sorry, but the answer is you need more IP addresses in your routable space. In other words, /29 is the minimum required for CARP.

        Sorry!

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          @banstyle:

          In other words, /29 is the minimum required for CARP.

          Correct. It's just like other routing redundancy protocols, HSRP and VRRP are no different.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            In the future, perhaps 2.2, when we have to deal with the new carp in FreeBSD 9.x this should be possible.

            http://people.freebsd.org/~glebius/newcarp/README

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • D
              DaS
              last edited by

              @jimp:

              In the future, perhaps 2.2, when we have to deal with the new carp in FreeBSD 9.x this should be possible.

              http://people.freebsd.org/~glebius/newcarp/README

              ahh, damn. i hoped this feature will be available with 2.1

              i got a VIP/CARP running with only one IP in the public network. in my case this is a /29 subnet, but only one ip address was not in use.
              this is a little "hack" / trick with one big disadvantage: your primary and secondary pfsense will not have direct internet access!

              the interface is configured as /28, not as /29
              just assign two ips out of the /28 network, which are not in the /29 network, to your physical adapters.
              the carp ip is the only free ip of the /29 subnet

              Client trafficis handled by a outbound nat rule over the CARP/VIP ip.
              but as said before, the pfsense's itself have no internet access - because the two ips are not "allowed" in the subnet.

              perhaps my setup is only possible, because my pfsenses are not directly attached to the internet, there's another device handling the public /29 network traffic.

              btw: dns lookups are working on my pfsenses, because they use a dns server on the internal network. the internet request of the dns server are handled by the outbound nat rule…

              1 Reply Last reply Reply Quote 0
              • C
                carlsian
                last edited by

                Set your interfaces and CARP up on internal addresses… then NAT the internal CARP vip to your public /30 address. Might take some tweaking but should be a workable solution.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.