CARP and /30 with routed subnet behind

  • I think I know the answer to this, but I figured I'd run it past you all for confirmation…

    I'm adding a second ISP to my pfSense configuration, which is currently 2 pfSense boxes running CARP behind a Comcast connection, where my entire /28 is provided on the WAN side. As is usual with CARP the pfSense boxes are using 3 IPs from that /28, 1 per box and 1 for CARP.

    This second ISP provides me a /30 for the WAN and then a /27 LAN that is routed through that WAN (often known as a RealIP configuration). As I'm using CARP I need at least 3 IPs on the WAN side, so it looks like a /30 isn't going to cut it there. As near as I can tell I really have 2 options:

    • Ask my provider for a /29 instead of a /30 on the WAN side and then create the /27 on a second DMZ interface.

    • Add a small box in front of pfSense that handles the WAN subnet and then provides the LAN subnet to pfSense's WAN side, similar to how my /28 with Comcast currently works (all of the Comcast /28 addresses are on the WAN side)

    I was thinking I might be able to use both pfSense boxes on the WAN side by making a rogue /29 that includes my /30 and assigning the pfSense boxes 2 IPs on non-/30 side of that /29. What I mean is the real /30 would include 2 addresses, my ISP gateway and the CARP IP of my WAN, and then I'd just use 2 other IPs in the larger /29 that would be pfSense. This would prevent each pfSense box from going outbound from its interface IPs directly but I could try do so some fancy NAT work to make all outbound traffic originating from each pfSense box to go out via the CARP IP. Thinking that through, it seems that would prevent the inactive pfSense box from talking to the internet at all, preventing stuff like NTP and other services from working correctly.

    So it seems my two above options of increasing my WAN subnet or adding an intermediary router are really the only options here. Thoughts?

  • Yeah, you either have to add an intermediate router or have the provider adjust. Perhaps they could route the /27 directly without the /30 transit network.

Log in to reply