HA CARP with x.x.x.x/28 WAN Subnet

[mestafin]

Gents,

I need some help please with 2 x OPNsense fw units in a HA CARP setup.

I have configured the HA CARP correctly and it works 100% with vlans and an IPsec Site-tot-Site link to our other site. Each fw has it's own public ip and then one public CARP VIP. The IPsec link also works with the CARP VIP defined on the WAN subnet.

We plan to use some of the other public WAN ip's with 1:1 NAT and vm's as mail and web servers, each with his own dedicated public IP from the WAN subnet. (This is how we had it previously on our HA Cisco ASA firewalls)

What is not clear to me, is how do I "CARP" the other public wan ip's?

Do I need 3 public ip's for each vm now - one per fw and one CARP VIP assigned to the vm?

Surely that can't be right?

[mimugmail]

You should be able to add IP alias to your existing VIP

[mestafin]

You should be able to add IP alias to your existing VIP

Can you explain or expand this answer please?

[mimugmail]

Firewall - Virtual IPs - Settings
Mode IP Alias

There you put in your IP address und below is the dropdown field for your VHID (the number you choosed when adding the VIP).

Thats it

[mestafin]

Thanks, now I am starting to get it.

One more question, when I define the CARP VIP or the VIP Alias, do I specify the netmask as /32 (single IP) or do I use the WAN subnet netmask /28 (the whole WAN subnet) ?

[mimugmail]

I'd say /28