PfSense CARP Questions; Active/Passive, Bridge Mode/NAT

  • Just trying to get an understanding of how this works better so I can choose the correct design

    1 have 2 parts to my queries here;


    With the use of CARP is it possible to to use more than 2 servers sharing the same VIP (lets say for this example 3 servers)

    So as CARP requires a public IP address on each WAN interface assuming you had enough (say /29 for 6 pub IP's) this would be possible?

    Does it work in a Active/Passive/Passive arrangement


    pfSense-1 Active
    pfsense-2 Passive
    pfSense-3 Passive

    if pfSense-1 fails, pfSense-2 kicks in, and if both 1 and 2 fail, 3 kicks in

    is there any way to Load Balance multiple servers in an Active/Active configuration with the use of CARP, even if 2 are Active and one Passive


    Let's say I had 4 ADSL connections, all plugged into a single switch (I have attached the pic)

    each one of these would require a /29 to provide enough additional IP Addresses for the pfSense boxes?

    Each ADSL would need a seperate interface on each pfSense box? eg ADSL-1, ADSL-2, etc?

    Do I then disable NAT on the ADSL, and for each interface on pfSense box assign a public IP, eg

    ADSL-1 on pfSense-1 might be 203.X.X.11, ADSL-1 on pfSense-2 might be 203.X.X.12 and so on

    ADSL-2 on pfSense-1 might be 199.X.X.11, ADSL-2 on pfSense-3 might be 199.X.X.12 and so on


    Is there a way to put a modem in Bridge mode, and share between multiple pfSense by setting PPPOE on each box?


    Using NAT, can the pfSense machines have local IP ranges eg,2, etc and the ADSL use the public IP

    ![pfSense CARP ADSL x4.jpg](/public/imported_attachments/1/pfSense CARP ADSL x4.jpg)
    ![pfSense CARP ADSL x4.jpg_thumb](/public/imported_attachments/1/pfSense CARP ADSL x4.jpg_thumb)

  • Don't you think that two pfsense could be enouth?

    AFAIK, on sync options you can only configure on server for rules/states replication/synchronization.

  • You can do 3 like you describe but it's generally a waste, you're extremely unlikely to lose two pieces of hardware at the same time. I've worked on easily into hundreds of HA installs, have never seen one that uses 3 boxes, and never seen a failure of a primary where the secondary also failed.

  • Thanks,

    It was just a thought.

    so can you do Active/Active ? how does pfSense scale for thousands of users, does one machine cut it?

  • It will always depend on your hardware.

  • no active/active. In general we scale as well as any firewall (all of which have their limits where you get into territory you can no longer filter, at millions of pps). Users is irrelevant, pps is all that matters with firewalls. Most multi-thousand user networks are fine.

  • Cheers makes sense, solves my question 1.

    In regards to my Question 2,

    which way is the preferred option?

Log in to reply