Does two pfsense + CARP necessarily require two WAN IP?

Question

I am looking to setup CARP following this guide across two pfSense firewalls.

I have setup CARP before on a WAN link with a big IP space, so allocating a distinct WAN IP per each device (as shown in the guide) was palatable.

Now, I am trying to do the same, but only one WAN IP is available per link.

Is there a way to use only one WAN IP?

Edit: What if you have the following configuration? (would this work?)

WAN1: WAN IP 1.2.3.4, local IP 192.168.10.1
WAN2: WAN IP 1.2.3.5, local IP 192.168.20.1
pf1: On interface WAN1, local IP 192.168.10.10; on WAN 2, local IP 192.168.20.10;
pf2: On interface WAN1, local IP 192.168.10.11; on WAN 2, local IP 192.168.20.11;
On both pf1 and pf2, monitor IP set to the ISP-appropriate value
VIP on 192.168.10.100, 192.168.20.100

score 5 · Accepted Answer · answered Mar 09 '13 at 00:23

5

No, carp requires three WAN IPs.

answered Mar 09 '13 at 00:23

JamesRyan

2

Just to clear it up, this is not true since version 2.2. It is now possible to use CARP with as little as just one WAN IP, setting the interfaces IP as private ones and your WAN IP as CARP IP. – tstark81 Oct 04 '16 at 13:15

Alessandro Meyer · Answer 2 · 2015-04-30T20:52:51.203

4

It does not, it depends on your Setup. I have a working solution with 1 IP. The Slave just uses the Master as a gateway.

edited Apr 30 '15 at 20:52

answered Apr 29 '15 at 08:01

Alessandro Meyer

Would you care to share how this is done? – tacos_tacos_tacos Jul 15 '15 at 21:22
1

On the Internet-interface i have a separate network which is being used to negotiate the VIP, the IP itself is configured as CARP IP. Other than that i just gave each Firewall a seperate gateway with lower priority which points to the other firewall so that both firewall can route to the internet. – Alessandro Meyer Jul 20 '15 at 14:53
Alessandro, how do you manage to have the lowpri routes pointing to the other firewall? do you have the static route sync turned off? – Florian Heigl Oct 14 '15 at 20:04
Hi Florian - the other Firewall is just the secondary default gateway for the non-master firewall. And the first gateway is the providers gateway which is not reachable when there is no CARP IP assigned (=Slave) – Alessandro Meyer Oct 20 '15 at 07:35
Thank you that's simple and elegant. I did not come up with that idea, as much as I tried ;) – Florian Heigl Oct 23 '15 at 17:55
@AlessandroMeyer i'd love for you to write this up as a blog post. I'm struggling to get this going myself. and SF has no contact for you listed :( – Sirex Mar 26 '17 at 21:35

score 3 · Answer 3 · answered Mar 09 '13 at 06:20

3

CARP is like VRRP, HSRP and most other routing redundancy protocols, you must have 3 static IPs in the same subnet.

That may change at some point in the future, but it's true for the time being.

answered Mar 09 '13 at 06:20

Chris Buechler

Any VRRP / HSRP setup I've seen so far has *not* used IPs from the attached subnet for the cluster interfaces themselves. – Florian Heigl Dec 01 '15 at 03:42

score 0 · Answer 4 · answered Nov 07 '16 at 07:42

this topic has been requested as a feature in the pfsense bugtracker https://redmine.pfsense.org/issues/3859 and also issue 4597

it seems possible but you have to work around the webGUI

4 Answers4