OPNsense Forum
English Forums => High availability => Topic started by: jochen.korge on October 26, 2021, 03:15:36 pm
-
Hi,
I´m trying to wrap my Head around the possible configurations of CARP on our WAN side.
Our Addresses are:
XX.XX.212.243/31 OPNSense WAN (Gateway XX.XX.212.242)
Additionally our Provider routes two /29 Subnets to XX.XX.212.243
XX.XX.212.248/29
XX.XX.237.192/29
Were able to use all 16 Adresses from the /29 Nets as Client or VirtualIPs.
I do see two options:
1) we need to 1:1 NAT our main Address onto another Address like 10.0.0.1, used as CAPR-VIP, add 2 "normal" Wan Interfaces 10.0.0.2 and 10.0.0.3 and use XX.XX.212.242 as Far Gateway
2) we ask our Provider to move the allocation like so:
XX.XX.212.248/29 as our "main" Subnet
XX.XX.212.249 Gateway
XX.XX.212.250 CAPR-VIP<- XX.XX.237.192/29 and XX.XX.212.242/31 routed there
XX.XX.212.251 WAN FW1
XX.XX.212.252 WAN FW2
XX.XX.212.253 & 254 Usable as Client or "normal" Virtual IP
Is there a third option? I dislike the additional NAT (mainly because we need a Site to Site IPSec tunnel which dislikes NAT) and Option 2 sounds like a lot of work.
Thanks in Advanced
-
I don't think option 1 is going to work unless your provider is using a PtP connection like PPP or is willing to set up static arp, but I wouldn't count on it.
Option 2 would work, leaving you 2 VIPS for NAT and XX.XX.237.192/29 as a routed subnet.
A /31 network is mostly useless for any CARP setup unless you're going to also add one to your WAN as a VIP with a PtP from the provider.
I would start fresh and ask exactly how many public IPs you want on your LAN. This will determine the size of your routed subnet(s), accounting 3 addresses for CARP. Then ask your provider for 3 public IP addresses in a single network for your WAN side in addition to your LAN subnet(s).
-
The second mostly works only when ordering a new line. Head overvto your ISP and tell them you want a PE from them offering /29. This is possible for e.g. Colt in Germany