HA setup -> extra public IP's?



  • Hi,

    currently I have pfsense instance on an ESX host. The instance has 1 wan interface (with a public static IP).
    I'm goiing to setup a second pfsense in CARP/HA mode on another ESX host.

    So I will have 2 instances with their own WAN & LAN interface (and a pfsync interface of course)

    What I am goiing to do:

    • add dedicated pfsync on both instances on both boxes, and put the in a dedicated VLAN
    • Change the virtual IP's to CARP IP's
    • Setup FW rules & sync

    What I'm not sure about, am I right that I need 2 extra public IP now? so 3 in total for the WAN interface; 1 for WAN pfsense1 (which is allready there), 1 for WAN pfsense2 and 1 WAN IP that fails over on the WAN interfaces (which would be the VPN IP). Or is there a way to do this without the need to buy extra public IP's?

    Thanks



  • @mitch2k:

    What I'm not sure about, am I right that I need 2 extra public IP now? so 3 in total for the WAN interface; 1 for WAN pfsense1 (which is allready there), 1 for WAN pfsense2 and 1 WAN IP that fails over on the WAN interfaces (which would be the VPN IP). Or is there a way to do this without the need to buy extra public IP's?

    As you say.

    After the CARP setup is done, you can add further IP Alias to master, which are also shared.
    Services like VPN have to listen on CARP IP or IP Alias.

    There are thread in this forum where guys wrote, CARP also works with IPs in another subnet (private IP) assigned to WAN interfaces, but it have some disadvantages.
    https://forum.pfsense.org/index.php?topic=87546.msg507885#msg507885



  • @viragomann:

    @mitch2k:

    What I'm not sure about, am I right that I need 2 extra public IP now? so 3 in total for the WAN interface; 1 for WAN pfsense1 (which is allready there), 1 for WAN pfsense2 and 1 WAN IP that fails over on the WAN interfaces (which would be the VPN IP). Or is there a way to do this without the need to buy extra public IP's?

    As you say.

    After the CARP setup is done, you can add further IP Alias to master, which are also shared.
    Services like VPN have to listen on CARP IP or IP Alias.

    There are thread in this forum where guys wrote, CARP also works with IPs in another subnet (private IP) assigned to WAN interfaces, but it have some disadvantages.
    https://forum.pfsense.org/index.php?topic=87546.msg507885#msg507885

    Great, thanks for the info!