High availability…1 WAN IP
-
is it possible to setup 2 identical pfsense boxes to mirror e/o?
CARP wont work for this particular setup, only 1 WAN dynamic IP.
the goal is to have a second box kick in if the hardware in box 1 fails (power supply, mobo, bad hard drive, etc…)
i backup my current config and i have re-installed pfsense and attempted a restore from my backup to make sure everything worked (it did), but i would like to take it a step further.
this is just being used in a home environment.
thanks.
-
Not possible at this time.
-
-
pfSense 2.2 will likely bring in newcarp/carpdev so it can work with one IP, but I don't think that would still work with a dynamic IP.
The ugly solution is to enable your modem/router's NAT mode and let it handle the dynamic IP, and have it do 1:1 to a CARP VIP in a private IP "WAN" segment that uses a new private subnet you make up.
Double NAT is definitely ugly, but it may be better to by ugly and redundant than not.
The best solution would be to upgrade your connection to one that gives you a block of static IPs (/29 or bigger) to use with CARP properly.
-
how about configuring something to allow two active firewalls to syn with e/o regardless of the number of IPs and static or dymanic connection?
just a thought, i have no idea what it takes to program the firewall.
sonicwall has a nice setup, you connect two firewalls together and enable high availability. all with 1 WAN IP. and both sonicwalls share the same LAN IP, when you login to lets say….192.168.1.1 at the top of the sonicwall page it tells you if you are logged into the primary unit or the backup unit.
obviously if you make a change it pushes it to the other firewall. if you lose a firewall, the other one kicks in. firmware upgrades are nice, while one unit is upgrading the firmware, the other unit keeps the network online.
anyway, just a thought.
thanks.
-
That isn't possible the way we currently do failover, and wouldn't be something we could do without significant funding.
-
That isn't possible the way we currently do failover, and wouldn't be something we could do without significant funding.
very understandable. thanks for the reply.
-
I currently have an Alix box and Watchguard with both running pfSense. Is there a way to automatically copy the active config from one box to another? I understand that it's not possible to do failover with 1 WAN IP, and that's fine, I wouldn't mind swapping a couple of cable from one FW to another, but is there a way to push config from main (watchguard) to backup (alix) automatically after a change has been made?
Thanks guys.
-
Isn't pfsync completely independent from CARP/failover?
Check out System->High Avail Sync.
There's no requirement to set up CARP to use it AFAIK.
-
Isn't pfsync completely independent from CARP/failover?
Check out System->High Avail Sync.
There's no requirement to set up CARP to use it AFAIK.
That's what i'm thinking… i was just wondering if anyone has done it before...
Thanks.
-
The ugly solution is to enable your modem/router's NAT mode and let it handle the dynamic IP, and have it do 1:1 to a CARP VIP in a private IP "WAN" segment that uses a new private subnet you make up.
Double NAT is definitely ugly, but it may be better to by ugly and redundant than not.
Not sure I would call this an ugly solution - it's actually one of the few examples of when double natting would make sense.
But couldn't you just remove the double nat and just use pfsense as router/firewall, and let the isp gateway in front of pfsense handle the nat.. As long as your isp gateway can do normal routing.
So you end up with something like this
internet - publicIP (isp gateway) 10.0.0.1/24 – 10.0.0.2/24 Carp VIP (pfsense) 192.168.1.1 CARP VIP -- PCs
Where pfsense1 would have wan of 10.0.0.3 and pfsense2 10.0.0.4, and lan pf1 192.168.1.2 and pf2 192.168.1.3
Now as long you can put route entry in isp gateway to the pfsense wan VIP for your 192.168 network(s) You should be good without having to deal with actual double nat.
But for the life of me I don't see how running CARP would make sense in a home setup - other than the fact that you could and its techie and fun..
-
One additional question about this thread.. And yes, I'm also talking about a home environment, and yes, it's only because I'm a techie and it's fun! :-)
In the docs, it says that you need a REAL WAN address for each CARP participant, and in the diagram it does show "real" addresses.
On my cable modem setup, I have the ability to do DHCP to get a 10.x address from the cable modem, and I have five REAL addresses that I have setup as secondary addresses on my pfsense. The real addresses of course have a different default gateway than the 10.x gateway on the DHCP interface…
My first question is whether I lose the ability to do inbound NAT/PAT on two real addresses if I use one for each of two CARP nodes, or if use of the address for CARP wont stop me from using those addresses for inbound traffic at the same time.
I am assuming that CARP will take those addresses and stop me from using them otherwise, so my second question is whether PFSense will let the CARP addresses both be DHCP 10.x addresses, so long as they can communicate together on that address and they have the same gateway? I am allowed by Comcast to have multiple 10.x addresses via DHCP, and I'd prefer to use that for CARP if I will lose the ability to use the IPs for other than the CARP process.
Thanks, and sorry for my newbie, non carp-understanding question!!
-Steve
