I’m looking at replacing our Watchguard HA firewall pair with a Netgate pfSense HA firewall pair. The question I haven’t been able to find an answer for is if pfSense HA (CARP) will work with one of our WAN connections, Google Fiber. They do things a little different with static IP blocks. A static IP is persistently allocated to the WAN interface via DHCP, then a /29 block of IPs of a different range is routed. The Netgate documentation and YouTube video on HA say a WAN interface must be set as static and CARP VIPs should be in the same subnet. Below is an example screenshot from the Google Fiber help site.
Anyone found a way to make this work?
I have never tested if it will work with DHCP.
That I believe is similar to AT&T Fiber, as in the modem it has a 104.189.205.xx but also allows me to “Allocate” one of the five “Static IPs” i got assigned when I paid extra for them. To be honest learning Network+ now so I can’t say how you would configure the pfsense to handoff or pass through the public IP addresses internally?
You can route public IP’s via pfsense but it’s not something we use because generally most people want to use pfsense as the firewall and NAT device.
I reached out to Netgate and they say HA isn’t possible without a static IP. However, Tom’s post sparked a possible workaround. In theory, I could add a pfSense or EdgeRouter between Google Fiber and the pfSense HA pair that simply routes the public IPs. This way the pfSense HA pair can have WAN addresses in the same subnet statically assigned. Not very clean, and adds another point of failure for that WAN connection, but we do have a second WAN for redundancy.
You don’t need static ips to do HA with google fiber. Obviously your connections going to drop(mostly due to public ip switch) but for home use this works. Google fiber hands out two dynamic ips so only thing you needs to do is follow a guide to do carp and just don’t do anything for wan side of things. Specially setting up WAN virtual ips.
This is what I did at home with google fiber since my primary router running on a VM but I always need to shutdown or do something with the host so I got a really low powered pfsense box that separately powered and running as a backup. This way no one at home complains
I’m more than happy to give you details if you cannot figure it out
@hansaya , thanks for the info. In this case we are using Google Fiber Business where our firewalls WAN connection comes directly from the fiber jack via a DHCP reservation and our block of static IPs are in a different subnet. Here is an excerpt from an email from Netgate that described the issue clearly for me: “The WAN interfaces of both nodes and the shared CARP IP address must all be in the same subnet to function in a CARP setup. It must be possible for the nodes to communicate via broadcast traffic. This is how the CARP advertisements are exchanged to determine the status of each node and failover/failback when necessary.”
Having static wan ip’s in two different subnets doesn’t matter on your setup. You need three static ips(regardless of subnets). One for each router and one that would be shared and set as a virtual ip. Virtual one will be used for your clients so this way most of your clients won’t see a disruption when your backup router takes over.
CARP interface is a different network. Pfsense uses that communicate between each router(privately). CARP network should be a direct connection between two routers without a switch(recommended).