Failing a subnet over to DR site
-
Ok, let's say there are 2 sites. HQ and DR. Each site has 2 WAN connections.
Current scenario: I'm doing VLAN to VLAN routing (within a single site) not in pfSense, but in our Aruba switches and using ACLs to restrict traffic.
If the traffic is bound for a subnet not in the LAN, the default route 0.0.0.0 of the Aruba switch is the pfSense edge router. The pfSense edge routers maintain 2 OpenVPN S2S connections between them. There is a gateway group VPN1_failover_VPN2 for each rule coming into the LAN interface of pfSense that sends the traffic over VPN1 if it's up, then VPN2 if VPN1 is down.
If I need to spin up my servers at the DR site, it's a simple matter of removing the IPs for that subnet from the switch, and letting the traffic go to the edge router, which has rules in place to send that traffic over the VPN. Normally the traffic does not go to pfSense because the routing is done in the switches.
I keep having to shorten my ACLs because the Aruba switches have shit for ACL rule storage, so I'm considering moving all the LAN routing to pfSense as well.
But then I will have LAN rules allowing traffic from VLAN to VLAN using a gateway of * above the rules allowing the traffic over the VPN with the gateway group specified. So now to do the failover, I have to edit a bunch of rules on a bunch of different VLAN interfaces.
Of course one solution is to use 2 pfSense routers at each location. One for LAN routing, and keep the edge router in it's current role just like it is with the Arubas in the mix.
Is there anything I'm missing? Is there a simpler way to do it all with one pfSense router at each location?