Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
High availability
»
CARP on WAN with 1-3 public IPs
« previous
next »
Print
Pages: [
1
]
Author
Topic: CARP on WAN with 1-3 public IPs (Read 487 times)
j.koopmann
Newbie
Posts: 5
Karma: 0
CARP on WAN with 1-3 public IPs
«
on:
September 24, 2024, 09:56:30 am »
Hi,
with the hosting service I am using I can easily get two virtual servers running OPNSense and create as many virtual networks and virtual network cards as I want. BUT: When it comes to external public IP addresses I am (currently) not able to get a /29 or similar network assigned to the WAN network. I can book one or three individual IP addresses but these would not come from the same network/broadcast domain.
Question: Can this be made to work with CARP on OPNSense. I have read in other forums with pf/CARP that you could assign a private network to the WAN interfaces and give each firewall one unique private IP of this network and configure CARP on that. Then create a virtual CARP IP (public IP not part of the pseudo WAN network) on the WAN interface. Is this common consensus that this should actually work?
The two firewalls will have to communicate with the CARP protocol on the WAN network via their private unique IP addresses correct? This is not only done via the internal CARP networks (LAN interface, pfsync etc.).
Even if it works and is supported (which I hope) I assume it would be nice to still have fixed public IP addresses attached to the individual firewalls. Would I be able to do that?
- WAN Interface 192.168.100.0/24 / WAN FW 1 192.168.100.1, WAN FW 2 192.168.100.2
- public IP floating / virtual IP CARP on WAN interface 1.2.3.4/24
- public IP non floating on Firewall 1, virtual IP WAN interface IP Alias 4.5.6.7
- public IP non floating on Firewall 2, virtual IP WAN interface IP Alias 5.6.7.8
Would this work? Reading the documentation I assume I will not be able to use IPSec, OpenVPN, HA-Proxy etc with the IP Aliases on the WAN interfaces but those should go to the virtual CARP address anyway.
Or can the fixed WAN IPs (that are also being used for CARP) also come from different networks like this?
- WAN FW 1 4.5.6.7, WAN FW 2 5.6.7.8
- public IP floating / virtual IP CARP on WAN interface 1.2.3.4/24
Regards
JP
Logged
viragomann
Full Member
Posts: 196
Karma: 7
Re: CARP on WAN with 1-3 public IPs
«
Reply #1 on:
September 26, 2024, 08:02:25 pm »
The WAN IPs of both nodes and the CARP VIP have to be within the same subnet.
You can go with a private WAN subnet and hook up the public IP on the CARP VIP. You might have been read, that this has some drawbacks.
But first of all ensure that the CARP or VRRP protocol is supported by your hosting service.
If there is an underlying SDN, as most providers use, it's probably not. Also MAC spoofing must be allowed.
«
Last Edit: September 26, 2024, 08:11:12 pm by viragomann
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
High availability
»
CARP on WAN with 1-3 public IPs