Carp w static ip



  • can someone tell me if I'm using static IP's and want to setup HA w CARP if I still need 3 real static IP's with the latest release?

    Thanks



  • Yes, you do.


  • LAYER 8 Netgate

    There is another thread on this.  I haven't tried it yet.  But if there is no longer a requirement for the CARP IP to be in the same subnet as the interface IPs, why can't there be two WAN ports configured like this:

    WAN 1 192.168.0.1/30
    WAN 2 192.168.0.2/30
    CARP IP 66.67.68.69  ???



  • Yeah, I just saw that thread. So I may be wrong.
    Apparently, the re-write in 10 that made it so CARP is no longer a pseudo-interface does the equivalent of carpdev.
    I just tried it, and 2.2 will allow assigning a Public CARP on an interface with a private IP.
    I'll be playing with this to see how it works. Your secondary box would still not be reachable from the public until it became the master, but it would be awesome to have failover on setups with limited publics.



  • thanks for the input, I really don't care if I don't have access to the 2nd fw from a public IP.

    I may be doing something wrong but I tried giving the WAN adapter a private IP, I kept getting error messages concerning my the wan IP was different from the gateway. The gateway that I'm using is the assigned gateway by the ISP, which I think is part of my subnet mask addresses. the subnet mask I tried for the private IP's was 16 / 24 / 32.


  • LAYER 8 Netgate

    That could be an issue.

    I don't know what would happen if you:

    Create a gateway manually with the IP address given by your ISP.  Mark it as a default gateway.

    Set no gateway on your WAN interfaces.

    Create the CARP VIP as an IP Alias on the correct subnet as provided by your ISP.  This should encompass the Gateway IP.

    Make sure all your outbound NAT uses the CARP VIP.

    I just tried this (without a failover pair) and it seems to work.  This "breaks" a lot of pfSense automation.  Like there are no longer any Automatic Outbound NAT rules generated.  But that's OK because you'd have to modify all of them to use the CARP VIP anyway.

    This is very interesting. ETA: Screenshots.  pfSense C on my signature diagram.










  • I was playing around with a test box and was able to do the following:

    1. Put a private IP on the WAN interface, left gateway empty.
    2. Create a CARP VIP on the WAN with a public IP.
    3. Go back to WAN interface, add gateway, put in public gateway IP.
    4. Turned on AON, set CARP IP as outbound NAT.
      I've yet to put this on a live segment and test failover, but it looks promising.


  • We have here 3 public subnets, 2 /29 + 1 /28, so we waste 6 IPs just for CARP and that truly bitter.
    However, we use just 1 WAN gateway.

    After upgrading to 2.2 I tried to assign all IF Aliases to the CARP VIP which belongs to the subnet of the only WAN gateway and delete the two WAN VIPs, I just assigned for CARP before, but pfSense didn't let me do that. It tells me, the VIPs would be still in use.

    Any suggestion, what I can do, to release at least the 4 IPs of the additional subnets?


  • LAYER 8 Netgate

    You might have to be more specific.  I had no trouble creating this…




  • @dotdash:

    I was playing around with a test box and was able to do the following:

    1. Put a private IP on the WAN interface, left gateway empty.
    2. Create a CARP VIP on the WAN with a public IP.
    3. Go back to WAN interface, add gateway, put in public gateway IP.
    4. Turned on AON, set CARP IP as outbound NAT.
      I've yet to put this on a live segment and test failover, but it looks promising.

    I have tried steps list above and successed.
    But I can not  let outside client browse my internal web server.
    Please tell me how to set up nat (port forwarding),thanks!



  • Just like on any CARP setup, you need to select the CARP VIP as 'Destination' in the port-forward.



  • @dotdash:

    Just like on any CARP setup, you need to select the CARP VIP as 'Destination' in the port-forward.

    Thanks for your reply.

    I have test it use the CARP VIP as 'Destination' in the port-forward and it works.
    But there is a strange thing with Dest. port setting,brief description as below:

    1.When I use port 80 (HTTP) as Dest. port  and NAT port 80,client still cannot browse my web server.
    2.If I use other port (like 9999) as Dest. port  and NAT port 80, client will get the current page content.

    Is there anything I need to setup more ?



  • Make sure the webconfigurator is not listening on http. (system, advanced, admin access)



  • I found it's IP problem.

    It works well when I use a real public ip rather than a private ip (I used for test).
    When I use a private ip as wan ip,it's not work,even though I unchecked "Block private networks" option.

    Thanks again!


Log in to reply