Hi all,
Is it possible to set up an OPNSense environment as a high-availability HA Cluster with the following constraints:
- Having private-addressed public interfaces, whilst the public IP address is in a /30 CIDR block?
Example: 1.2.3.4/30 as the public IP address - ISP GAteawy = 1.2.3.5/20 - As it is therefore not possible to have a public IP address per interface in the HA Cluster group on WAN-type interfaces.
Here is the planned setup below, would like opinions if it is a valid setup : thanks in advance for feedback ;-)
To set up High Availability (HA) on OPNsense (via CARP), the official documentation typically states that you need 3 IP addresses in the same subnet: one for the Master, one for the Backup, and one shared Virtual IP (VIP). With a /30 subnet (which only provides 2 usable IP addresses), this standard method is mathematically impossible.
Fortunately, there is an excellent workaround: using the "IP Alias" mode combined with private addressing on the physical WAN interfaces.
Here is how to structure this configuration.
1. The Logical Architecture (The Concept)
The trick is to configure the physical WAN interfaces of your two OPNsense nodes with private IP addresses (for example, in a dedicated /24 or /29 subnet for the interconnection with your public router/gateway), and to set up a private CARP between them.
Then, you assign your single available public IP as an IP Alias attached to this private CARP VIP.
Addressing Schema
Imagine your provider's router (Gateway) has the public IP 1.2.3.5/30 and provides you with the IP 1.2.3.6/30. For the local interconnection, we will use the private network 192.168.100.0/29.
ISP Router / Gateway: 1.2.3.5/30 (Routes traffic to your block)
WAN Interconnection Network: 192.168.100.0/29
OPNsense Master (Physical WAN): 192.168.100.1
OPNsense Backup (Physical WAN): 192.168.100.2
CARP VIP (Virtual): 192.168.100.3
Virtual Public IP (IP Alias): 1.2.3.6 (carried by the CARP VIP 192.168.100.3)
2. Configuration Steps in OPNsense
Step 1: Configure Physical IPs and Private CARP
On the Master, assign the address 192.168.100.1/29 to the WAN interface.
On the Backup, assign the address 192.168.100.2/29 to the WAN interface.
Go to Interfaces -> Virtual IPs -> Settings.
Create a new Virtual IP of type CARP:
Interface: WAN
Address: 192.168.100.3 / 29
Virtual IP Password: [Your password]
VHID: [A unique identifier, e.g., 1]
Step 2: Add the Public IP as an IP Alias
This is where the magic happens to bypass the /30 limitation.
Still in Interfaces -> Virtual IPs -> Settings, create a new Virtual IP.
Choose the IP Alias type.
Interface: WAN
Address: 1.2.3.6 / 30 (Your single public IP)
Virtual IP Association: Select the CARP VIP you just created (192.168.100.3).
💡 Why does this work? The public IP Alias will "graft" itself onto the private CARP IP. When the Master is active, it takes ownership of both the private CARP IP and the associated public IP. If the Master goes down, the Backup instantly recovers the CARP VIP and the public IP Alias.
Step 3: Configure the Gateway and NAT
In System -> Gateways -> Single, ensure that your WAN's default gateway correctly points to your ISP router's IP (1.2.3.5).
In Firewall -> NAT -> Outbound, switch the mode to Hybrid or Manual.
Modify your outbound NAT rules (or create one) so that Internet-bound traffic does not use the physical interface IP (192.168.100.x), but rather the public IP Alias (1.2.3.6).
3. Important Points of Vigilance
The Upstream Router (ISP / Switch): The router providing your /30 subnet must be capable of routing traffic destined for 1.2.3.6 toward the CARP VIP 192.168.100.3. If it is a simple Layer 2 switch or bridge, ensure that the ARP protocol resolves correctly.
Synchronization (pfsync): Do not forget to configure a dedicated interface (often called DMZ or SYNC) for state table synchronization (pfsync) and configuration synchronization (XMLRPC) between your two nodes.
"Promiscuous" Mode: If your OPNsense instances are virtual machines (VMware ESXi, Proxmox, Hyper-V), you must enable Promiscuous Mode / MAC Address Spoofing on the vSwitches of both the WAN and LAN interfaces. Otherwise, the CARP protocol will be blocked."