Hello,
I looked at the setup that is shown here:
https://docs.opnsense.org/_images/900px-Carp_setup_example.png
I wonder if it is possible to have this setup except the front part with three public IPs, only two. I would not replicate the machines only use them that the LAN part will be always reachable even if one machine fails. The high-availability would be done by the DNS.
My question is if I set up the LAN part the way it's described there and for the WAN part each machine has one public ip only, will the NAT work properly when the DNS would change in case of failure?
Thank you for your help.
Hi there.
In my config, I setup HA behind NAT of the internet provider router. This way, you only need one public IP and you can configure the master/slave/CARP addresses using private RFC1918 IP's.
It's possible. Same as there would only be one public IP.
Take your Firewall-WAN Ports in another IP-Range like 1.2.3.4/30.
Now configure one or two CARP-IPs on the WAN Interface.
You need to change your default Gateway on Backup-FW if you want to download Files from Internet (for example you need to Update Firewall or want that PlugIns can download files. You need to reset the default Gateway after this!