Does a CARP setup requires WAN IPs to be on the same subnet as WAN VIP?



  • Hello,

    I'm thinking about installing a second pfSense box and use CARP to have an hardware redundancy for my (multi-WAN) Internet access.

    One of my Internet connection directly provides the public IP I use on the Internet : 1.2.3.102/30 (that's the IP configured on the WAN interface) and they say I have to use the gateway at 1.2.3.101/30.

    Being a "/30" network (namely: 1.2.3.100/30) there are only 2 practical IP addresses, which are all already used: one by their gateway (1.2.3.101) and the other by my actual (no CARP configured) pfSense box (1.2.3.102).

    Looking at CARP documentation it seems CARP setups requires pfSense each boxes to have an IP on the WAN side (id. 127.29.29.1 and 127.29.29.2 on the documentation).
    I understand they are required for each box to be able to access Internet on their own (should they, in "CARP" context, be active or not) but do they have to be on the same network as the virtual IP of the WAN side (id. 1.2.3.102)?

    Would the following setup works?:

    WAN VirtualIP: 1.2.3.102/30 ("CARP" type)
    WAN gateway: 1.2.3.101/30 (the gateway configured for the WAN interface)

    pfSense1 WAN IP: 80.40.20.1/28 (using 80.40.20.14/28 as gateway)
    pfSense2 WAN IP: 80.40.20.2/28 (using 80.40.20.14/28 as gateway)



  • but do they have to be on the same network as the virtual IP of the WAN side

    For CARP virtual IP, yes.  All other virtual IP types, no.

    https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses



  • @KOM:

    For CARP virtual IP, yes.  All other virtual IP types, no.

    Not in 2.2.x
    You can now have CARP VIPs in a different subnet than the WAN.



  • Thanks, I didn't see that caveat.



  • Thanks, that is great news 8)


  • LAYER 8 Netgate

    Why would you not just use 3 addresses from your /28? Just give back the /30 or ask that it be routed to your CARP address instead?

    Or, better yet, ask them to make the /30 a /29, use that for WAN and ask them to route the /28 to that CARP address.

    I guess I don't get why you'd want to do what you're asking…



  • I don't know yet what addresses they can "give" me, the /28 example is one offer I know they have ("Extra 8-IPs pack") but they can be more: So I'm taking informations about what pfSense supports and don't.
    I don't know if they can route my public IP (1.2.3.102) to an other IP and I don't want to change public IP (lots of external out-of-my-hands services use it).

    The really simple and cheap method is to buy a very simple router, place it where my actual pfSense box is (at 1.2.3.102/30) and create a 192.168.0.0/24 network for my 2 pfSense box and the CARP virtual IP (transforming the public IP problem into a private network problem).
    Only drawback: I would have a single point of failure, but it's more or less already the case considering their gateway.


  • LAYER 8 Netgate

    If they are calling a /28 only 8 IP addresses it sounds like they are anticipating VRRP/CARP on both sides anyway: 3+3+8 = 14.



  • Oupps… Typo their 8 IPs pack is a /29 (not a /28).

    My original post used /28 as a general example.


  • LAYER 8 Netgate

    Hmm. A /29 is not 8 usable IP addresses unless it's routed to you. They kind of need to get their act together.



  • @Derelict:

    Hmm. A /29 is not 8 usable IP addresses unless it's routed to you. They kind of need to get their act together.

    It is indeed a routing: I got 8 different public IPs and it all goes to the 1.2.3.102/30.


  • LAYER 8 Moderator

    Hmm. A /29 is not 8 usable IP addresses unless it's routed to you. They kind of need to get their act together.

    Nope they don't. A pity but quite a few ISPs or Hosting Providers will give you 8 IPs but not route them in a clean way. Either some hack'n'slash P2P Host Routing is done or you get 8 single IPs from different segments. No one said those 8 addresses are from the same block. I know quite a few german (big) hosting companies working that way and it is annoying as hell from a networking perspective. So I won't get my hopes up until I read someone cleanly stating that it actually is a /29 IP block.


Log in to reply