Failover for 2 ISP

jimp

@syntaxx:

@jimp:

Both of your pfSense boxes should have a connection to each WAN. If you don't run CARP on WAN now, you don't need to add that in.

You'd need the master box to have WAN and WAN2, and the backup box to have WAN and WAN2. Depending on your ISP, this may or may not be feasible.

And both boxes will need to have multi-wan setup properly (failover or load balancing pools, policy routing, etc), which is covered on the doc wiki.

Thank you jimp. Looks like having two WAN on each pfsense box is not feasible yet. But i am planning to build one more pfsense box that will act as a loadbalance. Like for example. The current 2 pfsense boxes will just be a normal router. And the 3rd one will act as the loadbalancer or failover of the two. Do you think it is feasible?

No, because you're back to having a single point of failure. You may as well just have one router connected to both WANs now.

syntaxx

Yeah i understand that the single point of failure is the load balancer right? If you were I.. You have limited resources. Would you think having carp on those 2 pfsense boxes make it much more reliable than using a single pfsense box with 2 WANs in it?

jimp

That depends on what you are worried about most, and the needs of your business. Only you will know that for sure :)

If you have more WAN failures than hardware failures, having a single dual-WAN box might better. You can keep the spare box installed and ready, boot it every now and then and update its config by hand, but not active 24/7. This is usually referred to as a "cold" spare.

That requires manual intervention in the case of a hardware failure, but depending on your business requirements you'd be better off since you could use both WANs all the time. If you don't have to worry about crazy high uptime and someone is usually on-site to handle the switch if a failure happens (or it only matters during business hours) then having a cold spare box is probably fine.

If you really need to use a two-box failover scenario with multi-wan, you'll need to talk to your ISP and work out the necessary details about getting more IPs or allowed connections. If your business needs call for high availability and automated failover, the cost is probably worth avoiding the downtime.

overand

I agree that using a load balancer in front of two CARPed pfSense boxes on seperate WAN links doesn't make much sense.  As JimP said, if you have a box (the load balancer) that can handle both WAN links itself, and you're using it as a single point of failure, I'd strongly suggest moving to just-one-box.

If you have fairly "high end" switching equipment, you can use VLANs - this is more complex for most people than they'd like - and it requires having a managed switch with VLAN support, but you'll be able to use one NIC.

syntaxx

Thanks Guys!

I have tried connecting the 2 ISP on a single pfsense box. And put it via LB pool

Description: ISP Balance
Type: Gateway
Behavior: Load Balance
Monitor IP: 202.164.x.x
Monitor IP: 124.68.x.x

Description: ISP1 Failover
Type: Gateway
Behavior: Fail Over
Monitor IP: 202.164.x.x
Monitor IP: 124.68.x.x

Description: ISP2 Failover
Type: Gateway
Behavior: Fail Over
Monitor IP: 124.68.x.x
Monitor IP: 202.164.x.x

I ran ping on the two public ip.. I can ping both of them i tried shutting off the modem of the first ISP and trying ping obviously one of them cannot be pinged. Now i ran the same thing on the second ISP its the same. My problem now is if the first ISP is up i can browse any site that i want but when it is down i cannot browse any site even though i get ping response from the second ISP. Correct me if i am wrong is this a DNS problem? If so how can i resolve this?

Another question if i can give my hands on the resources my current setup with CARP is fine as long as i have a 3 IP on each ISP for the carp+pfsync+load balance/fail over? Can you somehow help me with the diagram? Thanks a Lot.

overand

Under firewall rules for LAN, did you change the gateway from "default gateway" to the Load Balancer you created?

syntaxx

That i forgot. :) By the way is it okay to load balance if one of the ISP is under PPPoE?

jimp

Yes, you can load balance between any number of multiple WANs.

overand

I don't really see how PPPoE would be a problem - I'm pretty sure I've used PPPoE WAN links with the load balancer before.

Only read the rest if you need to - it's not needed, and can make things more complex:

Just remember - load balancing is 'fair' or 'even' by default - so even if you have one ISP with 6 megabits and one with 1, by default the load-balancing will (roughly) distribute the connections (and by extension the traffic) equally.

If you want to make one WAN link more likely to be used, you can put its entry into the load balancer config more than once - or have a 'ratio' of one to the other (example:  two entries for WAN, three for OPT1 to give a 60/40 balance)

@syntaxx:

By the way is it okay to load balance if one of the ISP is under PPPoE?

syntaxx

Thank you for all the reply I really appreciate the help. My last question would be incase i get my hands on resources like additional ip address for my WAN(s) like 3 each. Do i need more LAN cards? currently have 3 on each. Would my current setup will be suffice in order to make it high availability internet and firewall failover? If so can you guys help me with the diagram if its not too much to ask? Thanks thanks!