• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

HA setup with two WANs and only one pfSense per WAN

HA/CARP/VIPs
carp failover wan checking availability
2
4
1.2k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    Avatat
    last edited by Oct 6, 2020, 1:12 PM

    Hello pfSense Community!
    I have a single network in two locations, where each location has one WAN connection (two different ISPs).
    One WAN is faster and should be a "master", while the second one is slower and should be used as backup only.
    My plan is to put one pfSense to the first location, one pfSense to the second location, connect them in L2 (with redundant switches), and use CARP to provide WAN fallback:
    login-to-view

    My question is, what is the best/simplest way, to automaticaly disable VIP/CARP on "the faster" pfSense, when it loose connection to the Internet?
    I thought about writing a simple daemon, which will periodicaly check Internet availability, and trigger enablecarpmaint and disablecarpmaint when it is needed.

    1 Reply Last reply Reply Quote 0
    • D
      Derelict LAYER 8 Netgate
      last edited by Oct 7, 2020, 12:30 PM

      That is an unsupported configuration. A supported configuration would be two WANs, each with a /29 interface subnet or better, with both configured on each node.

      And you don't wand bridges to your switches. You want LACP to a switch stack.

      what is the best/simplest way, to automaticaly disable VIP/CARP on "the faster" pfSense, when it loose connection to the Internet?

      HA is not designed to swing traffic in response to a multi-wan event. Only a router failure or a link down event.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • A
        Avatat
        last edited by Avatat Oct 7, 2020, 12:48 PM Oct 7, 2020, 12:41 PM

        Thank you for your answer!
        I have to use a bridge because I don't have a switch stack, and sw-01-a and sw-01-b are simple, L2 managed switches in two different locations. I have to rely on STP.

        I know the "official way", how to do a similar setup: https://docs.netgate.com/pfsense/en/latest/recipes/high-availability-multi-wan.html#figure-diagram-of-multi-wan-ha-with-dmz, but I don't have /29 WAN subnet and red connections:
        login-to-view

        Can I ask you for a suggestion, how to solve it in a better way?

        1 Reply Last reply Reply Quote 0
        • D
          Derelict LAYER 8 Netgate
          last edited by Derelict Oct 7, 2020, 12:55 PM Oct 7, 2020, 12:53 PM

          The best way to do an HA deployment is it invest in the gear necessary to build it correctly. Bridging like that is generally incompatible with pfSense HA.

          https://docs.netgate.com/pfsense/en/latest/highavailability/layer-2-redundancy.html

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          2 out of 4
          • First post
            2/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.