0

I have a dual pfSense configuration with CARP. Both WAN interfaces are assigned consecutive WAN IP .150, .151. I think it is silly that pfSense would require them both to have these dedicated IP so I was wondering if it is possible that I could use 1:1 NAT and add their IP as Virtual (CARP) IP in the system. So:

pf0 - WAN IP .150
pf1 - WAN IP .151
CARP IP0 - .150
CARP IP1 - .151
1:1 NAT Entry .150 <-> 10.1.1.150
1:1 NAT Entry .151 <-> 10.1.1.151

If this is not possible, can I at least forward certain requests to certain ports (HTTP/S) @ .150, .151 to appropriate servers?

Port forward .150:80,443 <-> 10.1.1.150:80,443
Port forward .151:80,443 <-> 10.1.1.151:80,443
tacos_tacos_tacos
  • 3,220
  • 16
  • 58
  • 97

1 Answers1

2

Generally speaking, No.

The IP "foot" for carp monitoring/communication is only present on ONE machine (the box it's assigned to). By definition it is not a redundant IP, and it shouldn't really be used for serving other traffic.

Take the following scenario as an example:

  • You configure port 80 on .150 (primary FW) and .151 (backup FW) to forward somewhere.
  • The primary FW fails.
    • Now all traffic going to .150 is hitting a dead IP (your service on .150 is down).
  • The primary FW comes back and the secondary FW fails.
    • Now the traffic going to .150 works again, but all the traffic to .151 is hitting a dead IP.
voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • Ok - so basically, for every pfSense in your CARP subnet you are going to need to reserve a public IP (if you want failover to work). – tacos_tacos_tacos Mar 12 '12 at 18:55
  • I don't believe CARP can use the magic all-routers multicast, so if I'm right you need to burn one IP per unit in the pool. It's entirely possible I'm wrong though - If I am I'd love to hear it as I'd get to reclaim two IPs on *my* network :-) – voretaq7 Mar 12 '12 at 20:20
  • 1
    This answer is correct on why you can't use the interface IPs. To answer part of the OP's question, it's not "silly", it's how every router redundancy protocol functions - VRRP, HSRP, and CARP. – Chris Buechler Mar 20 '12 at 04:18