Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DR Design - Local interface and phase 2 remote on same "network"

    Scheduled Pinned Locked Moved General pfSense Questions
    1 Posts 1 Posters 514 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U Offline
      unsichtbarre
      last edited by

      I use pfSense 2.3 to create an IPsec VPN to our DR site. Here are the facts:

      • The Production LAN is: 172.16.0.0/16 (behind a Sonicwall GW: 172.16.0.1)

      • The DR LAN (VLAN 17) is 172.17.0.0/16 (behind pfSense #1 - em0: WAN, em1: DR LAN)

      • I have created an IPsec VPN from pfSense #1 to the Sonicwall and it works great!

      • DR LAN and Production LAN have a Layer 3 relationship, thanks to the IPsec Phase 2 from pfSense #1 to Sonicwall.

      • The Veeam Backup and Replication Server lives at the DR site (in the Cloud) and runs on the DR LAN, along with a read-only DC.

      At the DR site, I have created another network "DR Production" (VLAN 16) where I run another pfSense (pfSense #2 - em0: WAN, em1: R Production), where the LAN config matches the "Production LAN" (172.16.0.0/16 GW: 172.16.0.1).

      The design is such that during the 358 days of the year, we replicate with Veeam from Production to DR.  All of the VMs replicate into DR Production (VLAN 16), and hibernate as Veeam replicas for about 358 days/year. The pfSense #2 idles as there are no powered-on VMs in DR Production. When I initiate failover, there is no need to re-IP the VMs, as they can all use their original IP and mappings, with pfSense #2 as gateway at the DR site. This works great, we test for 1 week/year and actually sustained us through Hurricane Sandy!

      My question is this: Can I do the same thing with one pfSense and 3 interfaces?

      • em0: WAN

      • em1: DR LAN (172.17.0.1)

      • em2: DR Production (172.16.0.1)

      I am aware that em2 would need to be disconnected when the IPsec VPN was up, because it has the same IP address as the Sonicwall and would cause routing conflicts. Once the IPsec VPN was disabled, would I have routing issues after enabling em2? After running on em2 and then disabling it, would I have routing issues after I brought back the tunnel?

      THX in advance!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.