offline backup box in case main box fails

john24634 · Feb 25, 2023, 7:15 PM

Hi Guys,

I was looking for a SIMPLE way to have an updated 2nd pfSense box available if the Main one fails.

And keep it of most of the time and turn it on automatically if the main box fails eventually, is there any one of you guys did it?

I think the challenge is also to keep the the 2nd box config updated.

And it will be nice to keep if off and turn on automatically if the first box fails....

pfSense HA its amazing however it requires you to have 2 wan, etc.... just wanted something simpler

Any suggestions?

John

Dobby_ · Feb 26, 2023, 2:43 AM

You could do periodically a system backup and a config backup to a place in the network or elsewhere, if the first box fails you turn on the second one and fetch the system backup and later config backup and reboot once more
and all is fine, let us say 30 minutes, pending on your hardware power, and all is done and working again.
So one box can be unpowered the entire time.

EDIT:

ISP -- Modem -- Switch -- 2 x pfSense connected
Would also run nice but both units must be running
all the time.

SteveITS · Mar 2, 2023, 2:56 AM

@john24634 It’s technically possible to use HA with one public IP if your ISP router provides NAT. Comcast and AT&T DSL do this in bridge mode. I’ve used Comcast.

Wan1 - 10.1.10.2
WAN2 - 10.1.10.3
Shared IP - public IP

Now both routers have Internet.

cswroe · Feb 26, 2023, 1:35 PM

I do the same thing with my 5100. I have a Protectli that I use in the event the 5100 goes down. I just have to remember to change the i interface names in the xml, but it works well. I had to use it about 10 months ago when the drive on the 5100 failed. I will do the same this week when I upgrade the 5100, but still debating that one.

stephenw10 · Feb 28, 2023, 2:10 PM

You can use only the config sync part of HA to keep the two boxes synced without CARP at all.

If you don't have the second box powered on all the time then you will see config sync errors on the primary box at any config change. You would need to periodically power on secondary box and force a config sync to keep them updated.

But simply keeping a config file you can restore onto the backup box is probably easier. You can have it pull in that backup config when it boots:
https://docs.netgate.com/pfsense/en/latest/backup/restore-during-install.html#restore-using-the-external-configuration-locator-ecl

Steve

john24634 · Mar 2, 2023, 2:56 AM

@steveits said in offline backup box in case main box fails:

Does Spectrum ISP Router provides NAT?

@john24634 It’s technically possible to use HA with one public IP if your ISP router provides NAT. Comcast and AT&T DSL do this in bridge mode. I’ve used Comcast.

Wan1 - 10.1.10.2
WAN2 - 10.1.10.3
Shared IP - public IP

Now both routers have Internet.

SteveITS · Mar 2, 2023, 3:09 AM

@john24634 said in offline backup box in case main box fails:

Does Spectrum ISP Router provides NAT?

No idea. If you plug a laptop directly into their router does it get a private IP address?