Carp IP on a /30 public ip: there must be a way to do it

HA/CARP/VIPs
Log in to reply
  • M

    Hello,
    My isp give me a /30 (so only one public ip usable) that I have on my wan ethernet.

    I need to do active/passive with carp. It is obvious that I cannot do it on wan I cannot do it at all.

    I have read some threads there someone says: tell your isp to give you /29. I cannot. I repeat: I cannot.

    What can I try? Can the carp-ip be in a different subnet of the active/passive pfsense? Then how can I route?

    Please help me. Thanks in advance for any reply!

    Mario

    0
  • B

    I believe you answered your own question:

    Can the carp-ip be in a different subnet of the active/passive pfsense? Then how can I route?

    You cannot.

    My understanding of CARP/VIPs is that the IP addresses need to be in the same subnet so that they can take on the additional IP for that traffic. What you are looking for would be a layer-2 solution, where the ARP is proxied and moved supported by interfaces on both firewalls. In this case, pfSense does not do the job- CARP is fundamentally a layer-3 solution.

    Sorry, but the answer is you need more IP addresses in your routable space. In other words, /29 is the minimum required for CARP.

    Sorry!

    0
  • C

    @banstyle:

    In other words, /29 is the minimum required for CARP.

    Correct. It's just like other routing redundancy protocols, HSRP and VRRP are no different.

    0
  • jimp
    Rebel Alliance Developer Netgate

    In the future, perhaps 2.2, when we have to deal with the new carp in FreeBSD 9.x this should be possible.

    http://people.freebsd.org/~glebius/newcarp/README

    0
  • D

    @jimp:

    In the future, perhaps 2.2, when we have to deal with the new carp in FreeBSD 9.x this should be possible.

    http://people.freebsd.org/~glebius/newcarp/README

    ahh, damn. i hoped this feature will be available with 2.1

    i got a VIP/CARP running with only one IP in the public network. in my case this is a /29 subnet, but only one ip address was not in use.
    this is a little "hack" / trick with one big disadvantage: your primary and secondary pfsense will not have direct internet access!

    the interface is configured as /28, not as /29
    just assign two ips out of the /28 network, which are not in the /29 network, to your physical adapters.
    the carp ip is the only free ip of the /29 subnet

    Client trafficis handled by a outbound nat rule over the CARP/VIP ip.
    but as said before, the pfsense's itself have no internet access - because the two ips are not "allowed" in the subnet.

    perhaps my setup is only possible, because my pfsenses are not directly attached to the internet, there's another device handling the public /29 network traffic.

    btw: dns lookups are working on my pfsenses, because they use a dns server on the internal network. the internet request of the dns server are handled by the outbound nat rule…

    0
  • C

    Set your interfaces and CARP up on internal addresses… then NAT the internal CARP vip to your public /30 address. Might take some tweaking but should be a workable solution.

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy