CARP with a single public IP?

hot_rene · Sep 10, 2007, 10:19 AM

hello,
i am very new in pfsense. I need to make a redundant firewall and what i have read till now is that i need a public IP for every carp cluster.
The problem is that i have only one public IP available.Can anyone help me and give me a hint how can i make my carp system with only one public IP?
i do appreciate ur help.
thanks in advance.

GruensFroeschli · Sep 10, 2007, 2:59 PM

not possible with only one IP

dotdash · Sep 10, 2007, 3:19 PM

You can do this with CARPDEV under OpenBSD. This functionality has not been ported to FreeBSD, and so is not available in pfSense.

hot_rene · Sep 10, 2007, 3:35 PM

thanks a lot for the help guys :)

hot_rene · Sep 12, 2007, 11:35 AM

and one more question, do i need 2 or 3 public IPs?

morbus · Sep 12, 2007, 12:27 PM

3 one for each real box and the CARP VIP that the share
ie 1.2.3.1 -> pf1
1.2.3.2 -> pf2
1.2.3.3 -> CARP

hot_rene · Sep 20, 2007, 10:37 AM

:o oo thanks a lot for the info.
and when i configure my pfsense fws, what vhid should i use for all interfaces than in the case, including the carp interface with a public VIP?
???

morbus · Sep 20, 2007, 10:55 AM

Use a different vhid for each CARP VIP

Itwerx · Dec 11, 2007, 7:59 PM

At risk of hijacking the thread.

Does anyone know the full technical rationale behind this limitation?
Seems to me any set of IPs in the same subnet should logically be usable for CARP. Is it simply because CARP was not originally intended for this sort of thing and whomever made the original design decision just didn't consider that it might be used in a scenario outside of the private network…?

(Or am I just missing some fundamental aspect of CARP functionality that makes this requirement logical and appropriate? :)

sullrich · Dec 11, 2007, 8:07 PM

CARP is multicast. Unless your ISP is blocking this traffic you could be stepping on an upstream VRRP host or even another CARP host.

Itwerx · Dec 12, 2007, 7:25 AM

…any set of IPs in the same subnet...
@sullrich:

CARP is multicast. Unless your ISP is blocking this traffic you could be stepping on an upstream VRRP host or even another CARP host.

On re-reading I really didn't say that very well! :/
What I meant was any set of IPs that were on their own subnet, but separate from the existing public IP. E.g. the public IP could 1.2.3.4 but the CARP stuff could all take place on 10.1.1.1, 10.1.1.2 and 10.1.1.3 which the ISP shouldn't care about.
Since the CARP functionality is intended to detect and recover from hardware failures it really shouldn't matter what IPs it's using behind the scenes, right?
(And upon some research it looks like this capability is actually being added to CARP right now - would be very nice to have in pfSense! :)