CARP VIPs Multiple IPs



  • Hello, Ill try to explain our proposed setup, please bear with me. Theres a question in here too…

    we currently use pfsense on a single machine. it has 2 WAN connections (1 x 50MB Ethernet leased line, and 1 x 10MB ADSL via a modem, used for minor services and failover). I want to replace this system with 2 new pfsense boxes, using CARP and hopefully down the line experiment with arp load balancing (but thats for another day).

    My first plan is to get CARP setup. so we have a public IP range (a.b.c.250-254 usable). On our existing system, the WAN interface is .250, though the remaining addresses also have services defined for different internal NATted hosts.

    I assume that the .250 address will become the VIP, and 2 of the other addresses (lets use 251 and 252) will become the WAN addresses for each firewall. My question here though is that with these addresses assigned to physical machines, will services that connect from outside to those addresses pass only through the relevant firewall? We have quite a few IPSEC VPN tunnels which Id like to fail over in the event of a firewall outage, but as i have to use different endpoint addresses for each tunnel, Im concerned that I dont have enough IP capacity for what Im trying to achieve.



  • You will need an IP for each physical box, so you are only going to have three IPs that will fail over.
    Lets say .249 is the gateway, 250 could be one firewall, 251 the second, leaving you with 252, 253, and 254.
    You might be able to share IPs using port forwards and have enough. You can terminate multiple IPSec tunnels on one CARP VIP.