Public IP in LAN with CARP virtual IP

  • Hi,

    I have currently a setup running with public IP's (for VPS servers) in the LAN network. This works fine based on proxy ARP. I would like to make this setup high available using CARP.

    This is what I did:

    • Created a CARP IP on the WAN interface with the public IP-address of one of the VPS servers. Similar like I did with proxy ARP (only a few more fields like subnet, Virtual IP Password, VHID Group and Advertising Frequency).
    • Created a CARP IP on the LAN interface in order to be used a the gateway for the VPS servers which available no matter which of the 2 firewalls is online.

    NAT is disabled in:

    • Firewall > NAT > Outbound - Set to "Disable Outbound NAT rule generation"
    • Advanced > Firewall and NAT > NAT Reflection mode for port forwards - Set to "Disable"

    I'm running PFSense 2.2.2 x64 .

    I already found this topic:, but it doesn't work for me.

    This is my result:

    • My VPS can NOT ping the CARP LAN IP.
    • My VPS can NOT ping the LAN IP of firewall 1 (CARP master)
    • My VPS can ping the LAN IP of firewall 2 (CARP backup)

    From outside the network I can ping the VPS, but it's PFSense that's responding to the ping, not the VPS itself. The same when connecting to SSH using the VPS IP; I'm logging into the PFSense SSH server. Somehow PFSense doesn't route the traffic to the VPS but keep it for itself.

    Any suggestions in how to solve this issue?


  • What hardware platform is pfSense running on or is it a VM?

    Also: what is WAN (PPPoE/Ethernet etc)?

  • All run as a VM on RHEV/oVirt (3.5).

  • Proxy ARP cannot be used with CARP.

    Use IP Aliases instead.

  • Yes, I know… It's not that I specifically need proxy ARP. It was just testing if all other parts are working ok so that I can be sure CARP is the issue.

    I have a public IP assigned to a server in the LAN (other IPv4 range / subnet as the WAN). Using a proxy ARP virtual IP in PFSense the server is accessible from the web in the LAN using the public IP-address, with CARP not... I'm not sure if it's even possible.

    A few notes:

    • I updated PFSense to the latest version 2.2.4 x64 (different version as when I started this thread).
    • I tested with virtio and e1000 interfaces. For virtio I disabled hardware checksum offloading to prevent other network/connectivity issues.

    The suggested solution of IP aliases won't work I guess (I can't try it right now)? As there is no layer 2 (ARP) so the traffic won't be send from my ISP to my PFSense box... Or am I wrong?

  • Any suggestions?

  • LAYER 8 Netgate

    IP aliases respond to ARP.


    I have a public IP assigned to a server in the LAN (other IPv4 range / subnet as the WAN).

    Is this a routed subnet?

    In that case the HA comes from your ISP routing the subnet to the CARP address on WAN.

    Then you need three of the public addresses on the inside (but publically addressed) interface.  One for each HA unit and one for CARP.  Then the other hosts on the publicly-addressed segment use the CARP IP as their default gateway.

    I don't see any need for VIPs other than the CARP VIPs.

    Maybe draw up a diagram if I'm misunderstanding what you're trying to do.