OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: engelant on July 05, 2019, 11:37:42 am

Title: CARP bound to Interface without standalone IP
Post by: engelant on July 05, 2019, 11:37:42 am

I would  like to understand, if there is a technical limit due to CARP in place or if it's just an OPNsense limitation.

Using a Fritz!Box (or any router actually) I'm capable of creating a "emulated fixed WAN line" by creating a 10.0.200.1/30 subnet for transfer, assigning 10.0.200.1 to my router, 10.0.200.2 to my OPNsense and configuring the 10.0.200.2 address as an exposed host in my router.

Now with a second OPNsense I want to create a failover configuration, and naturally CARP sounds right. Removing the IP from the interface and leaving it empty on both OPNsense boxes, and then creating a CARP virtual IP, so the active instance is capable of talking to the Router.

problem:

• I can't create an CARP virtual IP without an IP assigned to the interface
• even if, the gateway with automatic NAT rule creation is bound to the Interface, not the vIP
• I need to check the connectivity via ping in the gateway, as the line itself always appears up

I still have a HA network configured for syncing purposes, so accessing the active CARP IP from the backup OPNsense would work with routing trough that net, e.g. for accessing the Internet.
Am I missing something, do I have the wrong ideas of a proper HA architecture or is it wanted this way but just not implemented yet?

Title: Re: CARP bound to Interface without standalone IP
Post by: mimugmail on July 05, 2019, 01:33:40 pm

It should work when you set a fake network at pyhiscal WAN and only CARP IP as VIP, but as you said, a ping would be sourced from the fake network, also traceroute replies.

The NAT thing can be changed, when you edit the rule you can also select the CARP IP in dropdown.