Question about carp with 1 VIP

Started by epytir, March 17, 2023, 12:01:39 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 17, 2023, 12:01:39 PM
Hello,

im new to opnsense and moving our firewall from sonicwall to opnsense.

I have a question.
I have configured HA with CARP like
1 WAN Address for both Firewalls + 1 VIP
1 MGM Address for both Firewalls + 1 VIP
PFSync Interface 1 IP for Firewall1 and 1 for Firewall2
like 20 VLAN Interfaces with ONLY 1 VIP no physical IP on the interfaces

I tested a HA last week and this was working totally fine and everything got successfully transfered to the backup FW.
In the docs I read now, that you normally have to have 3 IPs with every VLAN..

In my case this is not possible because we got a lot of small vlans with not enough ips for that. Because my HA was successful whats the negative point in only having WAN and MGM with 3 IPs and all other vlans only got 1 ?

Thanks for your help
Epytir
March 27, 2023, 11:03:05 AM #1
You would want to have an IP in said VLAN-range so that you could contact the FW´s in said VLAN-segment directly, individually.
of course one could open up the lan-ip/VIP from any other vlan, if your ruleset allows that.
Print
Go Up Pages1
User actions