Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP and failover guide

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    4 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      chc-pr
      last edited by

      Two simple questions - both yes or no.

      Q1
      Can I build a system with two failover firewalls connected to two different internet connections so if any component fails in that chain the network keeps running and load is shared when all is working fine.

      Q2
      Does the online book cover how to do this fully if it is possible.

      I am building this network for my own personal use in a start up so limiting outgoing costs is a consideration and the $100 gold membership is a steep bill for me right now (not that I doubt its value, its just that I am looking to save unnecessary costs atm).  If it is covered, I will take out the membership.  If not I will still take out membership later, just not yet (I feel you guys need to be supported in this great project).

      Thanks

      1 Reply Last reply Reply Quote 0
      • C Offline
        chc-pr
        last edited by

        66 reads and not one person able to answer these Qs?  Wow, it can't be THAT unusual a thing to do…

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          Proper high-availability requires a /29 of static IP addresses on each WAN interface (or larger - HA takes 3 addresses. One for each interface and at least one for the CARP VIP.

          Yes, you can configure an HA pair with multi-wan if this requirement is met. pfSense is Active/Standby, not Active/Active so all traffic flows through one firewall unless it fails and everything swings over to the secondary.

          If you are saying one firewall connected to one provider and the other firewall connected to another provider then, no. That would be an unsupported configuration. It would be impossible to have state sync since the states on one unit could never be used on the other because the WAN addresses would be different. So failover would never be as seamless as with a proper HA configuration. You would have to be very careful with your interface assignments because XMLRPC sync on the primary might clobber the interface rules on the secondary.

          The book is the best single source of information for HA on pfSense, for sure.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • C Offline
            chc-pr
            last edited by

            Thanks, that is really helpful.  I was looking at two providers on a single firewall replicated on both firewalls.  That is to say, I have a two distinct failure modes
            1 - WAN failure (ie ISP is hacked and brought down for example), auto switch to backup provider from within the same (active) firewall [this is my present config]
            2 - firewall failure, autoswitch to backup firewall for normal service. [this is what I hope to add to my failure redundancy]

            I will go get the book.

            Thank you again.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.