Netgate is offering COVID-19 aid for pfSense software users, learn more.


If multiple subnets are required on a single interface with HA, this may be accomplished using IP Aliases. As with the main interface IP addresses, we recommend each firewall have an IP address inside the additional subnet, for a total of at least three IPs per subnet. Separate IP alias entries must be added to each node inside the new subnet, ensuring that their subnet masks match the actual subnet mask for the new subnet. IP alias VIPs that are directly on an interface do not sync, so this is safe.

Once the IP Alias VIP has been added to both nodes to gain a foothold in the new subnet, CARP VIPs may then be added using IP addresses from the new subnet.

It is possible to omit the IP Aliases and use a CARP VIP directly in the other subnet so long as communication between the additional subnet and both individual HA nodes is not required.