Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP SETUP with Transparent pfsense running for IPS

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    9 Posts 2 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • vallumV
      vallum
      last edited by

      Hello ,

      Please suggest , CARP feasibility for this setup (pf-sense 2.2.6 64 bit) and possible scenarios .

      Fail-over Dual WAN is configured for LAN Traffic.

      Thanks for your support.

      Manu

      1 Reply Last reply Reply Quote 0
      • vallumV
        vallum
        last edited by

        I'm Thinking of doing it like this :-

        Manu

        1 Reply Last reply Reply Quote 0
        • vallumV
          vallum
          last edited by

          Hey any suggestions?

          Manu

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Is everything in the first diagram already configured and working?

            Why no CARP for ISP 2?

            Otherwise looks pretty good to me.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • vallumV
              vallum
              last edited by

              @Derelict:

              Is everything in the first diagram already configured and working?

              Why no CARP for ISP 2?

              Otherwise looks pretty good to me.

              Hey ,

              Yes Everything is working smoothly  as shown in first Diagram .

              For ISP 2 I'm not sure if i should assign CARP or not (Also There is fail over gateway(wan2+wan1) Group, for LAN traffic ) .
              is it OK to proceed with CARP configure on ISP 2 . please suggest :)

              Manu

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                If I had the 3 public IP addresses for WAN2 I'd use CARP there.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • vallumV
                  vallum
                  last edited by

                  @Derelict:

                  If I had the 3 public IP addresses for WAN2 I'd use CARP there.

                  Hey , Thanks for the Help.

                  I'm also confused about one point , that if WAN2 goes down , then will it trigger gateway group rule  or CARP fail-over to other box .

                  2nd :- Is it Ok to connect Snort(IPS/IDS) between firewall and ISP router  , or inline with DMZ switch and firewall .

                  Manu

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Gateway failover groups and CARP are two completely different things.

                    In general, a CARP fail event means multicast packets did not make it from the master to the backup node on the local multicast domain. It generally means a local switching or router failure.

                    A gateway group failover means ICMP to a remote host failed, indicating that routing out that path is broken, has high latency, or whatever is set on that gateway. That causes a change in routing behavior and has nothing to do with CARP.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • vallumV
                      vallum
                      last edited by

                      Thanks for the clarification .

                      Manu

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.