Determine IP Address Assignments

For this example, four IP addresses will be used on each WAN. Each firewall needs an IP address, plus one CARP VIP for Outbound NAT, plus an additional CARP VIP for a 1:1 NAT entry that will be used for an internal mail server in the DMZ segment.

WAN and WAN2 IP Addressing

Table 4 show the IP addressing for both WANs. In most environments these will be public IP addresses.

Table 4: WAN IP Addressing

IP AddressUsage
198.51.100.200Shared CARP VIP for Outbound NAT
198.51.100.201Primary firewall WAN
198.51.100.202Secondary firewall WAN
198.51.100.203Shared CARP VIP for 1:1 NAT

Table 5: WAN2 IP Addressing

IP AddressUsage
203.0.113.10Shared CARP VIP for Outbound NAT
203.0.113.11Primary firewall WAN2
203.0.113.12Secondary firewall WAN2
203.0.113.13Shared CARP VIP for 1:1 NAT

LAN Addressing

The LAN subnet is 192.168.1.0/24. For this example, the LAN IP addresses will be assigned as follows.

Table 6: LAN IP Address Assignments

IP AddressUsage
192.168.1.1CARP shared LAN VIP
192.168.1.2Primary firewall LAN
192.168.1.3Secondary firewall LAN

DMZ Addressing

The DMZ subnet is 192.168.2.0/24. For this example, the DMZ IP addresses will be assigned as follows in Table 7.

Table 7: DMZ IP Address Assignments

IP AddressUsage
192.168.2.1CARP shared DMZ VIP
192.168.2.2Primary firewall DMZ
192.168.2.3Secondary firewall DMZ

pfsync Addressing

There will be no shared CARP VIP on this interface because there is no need for one. These IP addresses are used only for communication between the firewalls. For this example, 172.16.1.0/24 will be used as the Sync subnet. Only two IP addresses will be used, but a /24 is used to be consistent with the other internal interfaces. For the last octet of the IP addresses, the same last octet as that firewall’s LAN IP is chosen for consistency.

Table 8: Sync IP Address Assignments

IP AddressUsage
172.16.1.2Primary firewall Sync
172.16.1.3Secondary firewall Sync
© Copyright 2025 . All Rights Reserved. AZTCO-FW| Developed By AZTCO-FW. Powered by AZTCO.