Two Firewall, Two Separate WAN, One virtual LAN Gateway IP
-
Per the title, I have two pfsense firewalls, each has a WAN address from different providers.
LAN 192.168.1.x -> pf1 -> WAN 1.2.3.4
LAN 192.168.1.x -> pf2 -> WAN 5.6.7.8Gateway Groups work flawlessly if I set the LAN gateway address as ONE of the firewalls. If I use gateway groups in both firewalls and a CARP VIP as the LAN gateway, the state of WAN interfaces isn't synced and this impacts service in unexpected ways.
LAN pf1 –->WAN
|
vip gw----|
|
LAN pf2 ---->WANThe goal is: when a WAN interface goes down, just move all traffic to the other firewall. I'm sure I'm not thinking about this the right way using the tools available in pfsense. Help me get unstuck.
-
Each pfsense has a separate WAN connection with a separate provider, yet you have them configured as a cluster?
Is so, what you are trying to do doesn't make sense, there is no state information that can be shared because each one has a different WAN connection. -
I guess I was wrong to use a CARP VIP then? There's no rule that says it has to be a cluster.
If there's another way to share a VIP that a pfsense app can manage, then I'm wide open to that.
-
Yes, there is. Configure your machines as real HA with CARP as it should be:
https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)And then set up a Multi-WAN configuration with the two ISPs:
https://doc.pfsense.org/index.php/Multi-WAN
