Question about Carp with multiple external IPs



  • Hi everyone, a forum noobie here, but I have used pfSense for the past 6 years or so, but never with Carp.

    I have been tasked with setting up a failover scenario with two boxes using Carp, but I'm unsure how I assign external IP addresses for inbound services.

    I have attached a diagram, but essentially we want to do as follows:

    
    x.x.x.41/29 ext virtual IP.
    x.x.x.42/29 inbound HTTP
    x.x.x.43/29 inbound SMTP #1 
    x.x.x.44/29 inbound SMTP #2
    
    

    My question is:

    I know I need three external IPs - one for each firewall external interface, and one for the virtual IP.

    However, do I also need a second external IP for every inbound service, and assign a virtual IP for the inbound services, in the same way I would assign a virtual IP for the 'primary' interface?

    I have searched the forums to no avail - and perhaps I'm using the wrong search terms, or I am just completely misunderstanding the documentation.  :-[

    Any help would be appreciated.

    Many thanks in advance.




  • You just need one IP for each firewall exclusively. This one you can't be used for the services.
    However, if you have further subnets you need also further IPs for the interfaces. But due to your map I guess you have just a single WAN subnet.

    You have to a assign the IPs to the firewall interfaces, then you can add a CARP IP. The CARP IP may be used for services, cause it's available on both fw.
    The additional IPs are to be assigned as "IP Alias" which hooked on the CARP IP as interface. You could also add additional CARP IPs, however, that's not required.
    Remember that the additional IPs must be added after its CARP. I.e. it's not working if you edit an IP Alias made earlier single firewall mode. A trap I dropped into.



  • @TonyAR:

    I know I need three external IPs - one for each firewall external interface, and one for the virtual IP.

    However, do I also need a second external IP for every inbound service, and assign a virtual IP for the inbound services, in the same way I would assign a virtual IP for the 'primary' interface?

    You need one (non-shared) for each firewall and one or more shared CARP VIPs.
    Generally, with a /29, the provider takes one, so you only have five to assign. Using your example of x.x.x.40/29 you would have something like:
    x.x.x.41=provider equipment(default gw for pfSense)
    x.x.x.42=Primary Firewall
    x.x.x.43=Secondary Firewall
    x.x.x.44=CARP VIP http
    x.x.x.45=CARP VIP smtp1
    x.x.x.46=CARP VIP smtp2

    You could use port forwards and share one VIP for http and smtp.



  • Thanks for the replies.

    I have installed both firewalls now, and as I went through the configuration process, it all became clear.

    Thanks again. :)


Log in to reply