Hi, im having issues being able to access the internet when CARP is set up. The way I see it it is more of a Virtual IP issue, not caused by CARP. Here are my firewalls' configurations:
Firewall 1:
WAN interface gateway: x.x.x.105/29 - static ip from ISP
WAN interface: x.x.x.106/29 - static ip from ISP
LAN interface: 192.168.1.5/24
Virtual WAN ip: x.x.x.254/29
Virtual LAN ip: 192.168.1.1/24
Pfsync: 10.0.0.1
Firewall 2:
WAN interface gateway: x.x.x.105/29 - static ip from ISP
WAN interface: x.x.x.107/29 - static ip from ISP
LAN interface: 192.168.1.6/24
Virtual WAN ip: x.x.x.254/29
Virtual LAN ip: 192.168.1.1/24
Pfsync: 10.0.0.2
NAT rule: WAN interface, source LAN net + all other vlan net, NAT address x.x.x.254 which is WAN VIP
With this setup, with my laptop plugged into the LAN port of firewall 1 (I havent set up a switch connecting the LAN ports from both firewalls if this is the issue) I am able to ping 192.168.1.5, the gateway obviously; 192.168.1.1, the LAN VIP; x.x.x.106, the WAN address; and x.x.x.254, the WAN VIP. However, I cannot access the internet while before, (without all the virtual ip and redundant firewall) I am able to.
Please let me know if I have messed up my configuration somehow. This is my first time attempting to setup CARP so any help would be greatly appreciated. Thank you!
Hello
did you manage to solve your problem?
I have the same situation and I still don't understand what the problem could be
Your CARP WAN IP should be in the same /29 subnet as all other addresses, IMHO.
Quote from: Patrick M. Hausen on July 08, 2025, 10:50:42 AMYour CARP WAN IP should be in the same /29 subnet as all other addresses, IMHO.
Of course, this is true, we receive a /29 subnet from the provider that is completely ours.
Hi,
for this to work you need to connect the routers to a switch and connect the testing host also to this switch. The internet uplinks also needed to connect to a switch connected to the WAN.
Create an outbound NAT rule like this:
Interface - Source - Source Port - Destination - Destination Port - NAT Address - NAT port - Static Port
WAN - This Firewall - * - * - * - WAN address - * - NO - This is for Internet for the firewalls itself
WAN - ANY - * - * - * - WAN CARP VIP Address - * - NO - this forces the local internet traffic over the CARP internet Address
you have already got a LAN virtual CARP address so from this part you should have fail-over.
bonjour j'ai un problème j'ai besoin d'aide si possible.
j'ai 2 réseaux un en prod et l'autre test.
en prod j'ai 2 vlan 1 et 2
mon hyperviseur est dans le réseau en prod vlan 1.grace au routage inter vlan j'attaque mon serveur depuis le vlan 2.
dans mon réseaux virtuel j'ai 2 Lan. mon réseau a accès a internet grâce au Wan opnsense qui est sur le vlan 1. depuis mon Lan virtuel j'attaque le vlan 1 .comment faire pour que je atteindre mes réseau Lan depuis le vlan 2 du réseau en prod