Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense redundancy with 4 public IP:s

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    2 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pingulino
      last edited by

      We are currently searching for a high-availability solution, one question I need answered before starting to test pfSense:

      Today, we use 4 public IPs, all on different subnets, for 4 different domains.
      In documentation it says I need 3 public IPs on WAN to configure failover with pfSense.
      The way I read it it means we will need 12 public IPs? That we cannot have.

      Basically, what we want is 2 firewalls, one active and the other one just standing by. Also we want to have 2 switches on LAN for complete redundancy.
      So question is: can we use pfSense in some way to create a network like this? After reading the documentation I'd say "no", but posting here first in case I missed out on something.

      Edit: updating network diagram
      redundancy.png_thumb
      redundancy.png

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        If you have only one ip on each subnet, you can do it combining forces with you router(s). ;D

        see (http://forum.pfsense.org/index.php/topic,35281.msg200865.html#msg200865) for a detailed explanation of how to do this.

        after nat on router, at pfsense:

        You can't have two subnets on same interface, you need to create a interface for each subnet.

        the minimun amount of ips for it will be 4 on the same subnet.
        1 for the router
        1 for pfsense1
        1 for pfsense2
        1 to be published as a carp ip between two pfsenses. (this can be as much as you need 1, 2,…10 ips)

        If you plan to have each pfsense pluged into different switches, you will must have a dedicated interface between both for sync.
        My suggestion is to plug all interfaces of each firewall in only one swtich(using vlans), this prevents some carp mistakes between master and slave when not all interfaces are offline.

        FIREWALL1 <-> SWITCH 1
        FIREWALL2 <-> SWITCH 2

        FIREWALL1 <-CROSSOVER-> FIREWALL2

        If you have two gigabit interfaces on each firewall you can do everything. one for sync and other with a lot of vlans.

        att,
        Marcello Coutinho

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.