Question about CARP

[DividedByPi]

Hi there. New to the forum, and I have some questions I was hoping I could get some help for. Thanks!

So I am working on a little PoC project and so I have been given a block of 5 IP addresses from my WAN. I am currently using OPNsense as my Router/Firewall. However, I have been thinking about setting up CARP for automatic failover just to eliminate a single point of failure.

However, looking at the document to set it up - it appears that it is set up as a redundant firewall, and not router as well. The document assumes there is another router in front of the redundant firewalls before it passes on to the internet.

So my question is, since I have a block of 5 Public IP addresses from my ISP, I am wondering if I will come across any issues by configuring VHID Group 1 (from the document) to be addresses I have been given from my ISP? 

The IP's I have been given are all within the same subnet, of course.

[mimugmail]

You will need 3 IPs for CARP, unit1, unit2, virtual IP. Then you are good to go :)

[DividedByPi]

oh really, that is awesome! Thanks

[newsense]

Probably two ISPs should be considered too, otherwise is a bit of a moot point...

[DividedByPi]

Yeah that is very true if I wanted true HA WAN, but this is essentially just to have HA firewalls without the need to put an additional router in front of them. It will service my needs for now!

Another thing that is off-topic, and probably warrants another thread but - I was just doing some learning and trying new things, I set up a virtual IP (alias) on what is still currently my single OPNsense router and gave it one of the IPs from the block I was given... This however broke the VPN I have setup on the router immediately. I know theres probably a very obvious reason for this, but I think I am missing it.