CARP with a single public IP?
-
hello,
i am very new in pfsense. I need to make a redundant firewall and what i have read till now is that i need a public IP for every carp cluster.
The problem is that i have only one public IP available.Can anyone help me and give me a hint how can i make my carp system with only one public IP?
i do appreciate ur help.
thanks in advance. -
not possible with only one IP
-
You can do this with CARPDEV under OpenBSD. This functionality has not been ported to FreeBSD, and so is not available in pfSense.
-
thanks a lot for the help guys :)
-
and one more question, do i need 2 or 3 public IPs?
-
3 one for each real box and the CARP VIP that the share
ie 1.2.3.1 -> pf1
1.2.3.2 -> pf2
1.2.3.3 -> CARP -
:o oo thanks a lot for the info.
and when i configure my pfsense fws, what vhid should i use for all interfaces than in the case, including the carp interface with a public VIP?
??? -
Use a different vhid for each CARP VIP
-
At risk of hijacking the thread.
Does anyone know the full technical rationale behind this limitation?
Seems to me any set of IPs in the same subnet should logically be usable for CARP. Is it simply because CARP was not originally intended for this sort of thing and whomever made the original design decision just didn't consider that it might be used in a scenario outside of the private network…?(Or am I just missing some fundamental aspect of CARP functionality that makes this requirement logical and appropriate? :)
-
CARP is multicast. Unless your ISP is blocking this traffic you could be stepping on an upstream VRRP host or even another CARP host.
-
…any set of IPs in the same subnet...
@sullrich:CARP is multicast. Unless your ISP is blocking this traffic you could be stepping on an upstream VRRP host or even another CARP host.
On re-reading I really didn't say that very well! :/
What I meant was any set of IPs that were on their own subnet, but separate from the existing public IP. E.g. the public IP could 1.2.3.4 but the CARP stuff could all take place on 10.1.1.1, 10.1.1.2 and 10.1.1.3 which the ISP shouldn't care about.
Since the CARP functionality is intended to detect and recover from hardware failures it really shouldn't matter what IPs it's using behind the scenes, right?
(And upon some research it looks like this capability is actually being added to CARP right now - would be very nice to have in pfSense! :)
