Setting Up CARP on LAN facing interfaces only

[s1rr10n]

Hello,


I have two opnsense nodes installed on separate physical hypervisors as VM.
Each of them have their own LAN IP statically assigned. My ISP assigned their WAN IP via DHCP on each.

The documentation https://wiki.opnsense.org/manual/how-tos/carp.html mentioned I need to have both WAN and LAN in CARP.
Is it possible to enable CARP only on the LAN Interface (as this is the default gateway of my LAN)?

I do not need to have state synchronization. The goal is that if I need to do maintenance on the first hypervisor, the second gateway will take over and provide internet access to my LAN users.

Thanks!

[mimugmail]

Sure, this will work, but how is WAN configured?

[s1rr10n]

Hi,


Each Virtual Firewall have its own public IP assigned by my ISP.

When there is a failover, of course the LAN users active NAT sessions and mapping will drop and will need to reestablish, but that's not a big problem in this setup.

The bigger problem is that I found out the throughput drops by 50% when I use virtual IP. The same setup, when setting my PC to use the Physical IP of the firewall gives me near line rate 1 Gbps throughput. So I am sure this is not a resource issue.

Any idea what might be causing the throughput drop when using Virtual IP?

I searched around google and this forum and could find sporadically ppl having problems with this but no really concrete solution...

[mimugmail]

You mean it decreased from 1000 to 500 but using the same uplink? Never heard of oO