CARP SETUP with Transparent pfsense running for IPS



  • Hello ,

    Please suggest , CARP feasibility for this setup (pf-sense 2.2.6 64 bit) and possible scenarios .

    Fail-over Dual WAN is configured for LAN Traffic.

    Thanks for your support.



  • I'm Thinking of doing it like this :-



  • Hey any suggestions?


  • LAYER 8 Netgate

    Is everything in the first diagram already configured and working?

    Why no CARP for ISP 2?

    Otherwise looks pretty good to me.



  • @Derelict:

    Is everything in the first diagram already configured and working?

    Why no CARP for ISP 2?

    Otherwise looks pretty good to me.

    Hey ,

    Yes Everything is working smoothly  as shown in first Diagram .

    For ISP 2 I'm not sure if i should assign CARP or not (Also There is fail over gateway(wan2+wan1) Group, for LAN traffic ) .
    is it OK to proceed with CARP configure on ISP 2 . please suggest :)


  • LAYER 8 Netgate

    If I had the 3 public IP addresses for WAN2 I'd use CARP there.



  • @Derelict:

    If I had the 3 public IP addresses for WAN2 I'd use CARP there.

    Hey , Thanks for the Help.

    I'm also confused about one point , that if WAN2 goes down , then will it trigger gateway group rule  or CARP fail-over to other box .

    2nd :- Is it Ok to connect Snort(IPS/IDS) between firewall and ISP router  , or inline with DMZ switch and firewall .


  • LAYER 8 Netgate

    Gateway failover groups and CARP are two completely different things.

    In general, a CARP fail event means multicast packets did not make it from the master to the backup node on the local multicast domain. It generally means a local switching or router failure.

    A gateway group failover means ICMP to a remote host failed, indicating that routing out that path is broken, has high latency, or whatever is set on that gateway. That causes a change in routing behavior and has nothing to do with CARP.



  • Thanks for the clarification .


Log in to reply