Going from single to redundant wan lines

Woger

Hi There,
I am a little stuck. I have run a single pfsense server for almost 2 years now. As I have a /25 public subnet I have configured pfsense in bridged mode.
No I have moved to a new ISP and receive a redundant wan connection from them (2 cables) with routing using VRRP.
Now I want to put a firewall on both cables to make the firewall hardware redundant. So may question is: how do I make them hardware redundant?
I've read several posts, but they are a bit old or with a different scenario.
The pfsense machine I have is based on a Jetway NF99 motherboard so I can add 1 or 3 extra nics. The new machine is planned to be the exact same machine.
The first question is, do I need 3 or 4 nics? (so I can order the hardware ;-) )

Thanks,

Roger

SeventhSon

You need, per firewall:

1 NIC per WAN
1 SYNC interface
1 LAN

So in your case, unless you want to include a VLAN switch, you need 3 NICs per firewall.

(you only have one WAN, split between 2 cables, right?)

Woger

Sorry SeventhSon,
I was away last week.
Yes, I only have one WAN split into 2 cables (redundant).

Thanks,

Roger

SeventhSon

3 should do so. I'd go for the Intel NICs btw :)

Woger

Well, the 2 standard nics are intel but the 3rd one is realtek, but this one is used for carp. Do you have carp working with bridged pfsense machines?

SeventhSon

I'm using it on routed pfSense machines, but on current 2.0.3 running CARP on a bridged interface doesn't work, if that's what you're asking.

Woger

Well I got the other machine working now (took a while to get the hardware).
What I need is 2 bridged machines working together. I have several machines with public IP adresses on the inside and the gateway on the outside. The lan port has a public IP address also but the wan doesn't have an IP address. As I have now 2 internet uplinks I need both machines to do firewalling. But I just want to maintain only one.

Thanks,

Roger

Woger

OK,
Ik didn't enable CARP but only pfsync. This worked well, so pfsense1 updates pfsense2. So this morning I put them both in but it resulted in very strange problems. From home everything worked, but from my office we couldn't reach the network. from my phone I couldn't open any website but could ping the server. I had to take the pfsense machines out of the network  :(.
Any ideas?

Woger

Nobody a clue? I think this must be possible.

I hope, I am not stuck with two €400 bricks  :(

MLIT

The problem is CARP is meant to do fail-over for layer 3, not for layer 2 (Which is what you are wanting because you are using PFSense as a bridge, not a router).

Do you have a managed switch? Can it do spanning-tree protocol? If so, configure the switch(es) to do spanning tree. Then plug both PFsense boxes to the switch and then to the lines from your ISP. STP will see the redundant lines between the PFSense boxes as a loop and block all traffic on one of the ports.

Something else to consider. Fail-over on STP is about 50 seconds.

Woger

OK,
Thanks,

I am going to try this.

Roger

Woger

lHmm..
I suddenly realized the ISP told me to be sure that the vrrp routers could see each other using my network. So if stp blocks one port, vrrp will no see the other router. It is btw a Dell 3348.

Greetings,
Roger