@stephenw10 said in How to make HA on 2 pfSense on bare metal WITH 4 x UPLINKS WANs ?:
Well it would remove load from the firewall. So if you were under a DDoS attack and needed to still route between internal subnets that could be useful. But it wouldn't help with the attack itself much.
Agree! Anyway for middle/big DDoS better to deal on local ISPs + CloudFlare level. Here no room for edge FW… :)
Let me to note, if thinking in “Zero thrust” direction, also FW on end local node/service as “fine tuning firewalling” would be great, because each end node better know what particular (and how) need to be secured.
So at the end we build 3-layered (as minimum) defense:
ACLs on edge ASIC-based switches;
pfSense as edge FW;
PF/IPF/IPFW FW (sertificates, tokens, etc…) on end node/service;
What do You think about this 3-layered scheme, @stephenw10 ?