What is CARP

  • ive read that CARP can be used to load balancer or as a fail over if your primary WAN fails,

    if you use it as a failover do you require another pfsense firewall in your building or can you configure it on the same piece of hardware so it just uses the other configured WAN NIC2 instead of default WAN NIC1

    if you use it as a load balancer what are the advantages of this?

  • We use CARP mode of pfsense in order to have an automatic failover for the pfsense-system itself. So, if our (master-)pfsense-hardware fails, the OTHER (backup-)pfsense will take over the all services. And this works very fine. It needs 2-5 seconds to switchover.

    All settings you make on the master-gui will be synced through one dedicated network interface called sync the the backup-pfsense.

    So you need: two pfsense-systems and each of them should have one more network-interface. You need also two more IP-Adresses for WAN (and of course also for LAN).
    You get: very much better sleep.

    If you use CARP for load balancing, you can have two identic servers with your shop and incoming request will be distributed between these two servers.

    CARP is a protocol and is for "Common Address Redundancy Protocol".

    Hope it helps.

  • so i presume you need 3 WAN ip addresses from your ISP, 2 for the physical boxes (WAN) and one for the Virtual WAN IP?

  • Correct!

  • thank you very much dark.fibre!

    i found a really good how to about it aswell -


  • You can use a single WAN IP with CARP if you expand your WAN Subnetmask (Nasty Trick ;-) ). Tested with pfsense 2.1.4


    IP /30 ISP Router /30 Your Router

    Pfsense Config: /30 ISP Router (Your ISP don't change the Router mask) /29 CARP IP Don't use this broadcast IP /29 Pfsense 1 - WAN Interface (also set upstream gateway in the wan interface) /29 Pfsense 2 - WAN Interface (also set upstream gateway in the wan interface)

    Now you mus add a static ARP Entry for the ISP Router under Service -> DHCP Server -> Bottom (Because of ARP request from .4. und 5. that don't work).
    I have set up a manual outbound NAT  rule for source: any any and NAT Address: CARP Interface

    If Pfsense 1 is active Pfsense 2 has no internet connection for DNS and NTP.
    Set up pfsense 2 to this  DNS
    1. (internal pfsync inteface for pfsync 1)
    Set up pfsense 2 to this  NTP
    1. (internal pfsync inteface for pfsync 1)
    2. external NTP Server IP

    I dont use the arping tricks from other threads. I dont use gateway groups. Gateway Monitoring is active, with no special "monitor ip".

Log in to reply