CARP with private WAN

  • Hello,

    I have a fairly straightforward CARP deployment with several public networks existing on the PF config, and a private address link between the PF boxes and the internet router.

    The internet router is not performing NAT, this is a dual Tier 1 WAN connection using BGP. I have an issue with how the traffic is sourced on the PF secondary node and only for that node.

    For example, the secondary cannot get any update information, package installs, NTP updates, or any resources that are internet based. I believe this is because of the NAT configuration and the way the routing over private address link is set up.

    Is there any easy fix for this? Any idea how I can resolve without creating publicly routed IP's on the WAN transit link?


  • Hi,

    the reason for unreachable internet on backup box is mostly a wrong CARP configuration.

    For CARP with two boxes, you need at least 3 IPs in each subnet configured on any interface. One for master, one for backup and the third is the CARP IP.
    If that is set up this way and you have configured a default gateway, the internet should be reachable from both, the master and backup.


  • The CARP configuration is correct and works as designed. The issue is the private WAN link between the internet router and the CARP pair. The secondary needs to source it's address as part of one of the public VLANS which are owned by the Master CARP box. This is causing some kind of forwarding/NAT problem.

Log in to reply