DR Design - Local interface and phase 2 remote on same "network"

  • I use pfSense 2.3 to create an IPsec VPN to our DR site. Here are the facts:

    • The Production LAN is: (behind a Sonicwall GW:

    • The DR LAN (VLAN 17) is (behind pfSense #1 - em0: WAN, em1: DR LAN)

    • I have created an IPsec VPN from pfSense #1 to the Sonicwall and it works great!

    • DR LAN and Production LAN have a Layer 3 relationship, thanks to the IPsec Phase 2 from pfSense #1 to Sonicwall.

    • The Veeam Backup and Replication Server lives at the DR site (in the Cloud) and runs on the DR LAN, along with a read-only DC.

    At the DR site, I have created another network "DR Production" (VLAN 16) where I run another pfSense (pfSense #2 - em0: WAN, em1: R Production), where the LAN config matches the "Production LAN" ( GW:

    The design is such that during the 358 days of the year, we replicate with Veeam from Production to DR.  All of the VMs replicate into DR Production (VLAN 16), and hibernate as Veeam replicas for about 358 days/year. The pfSense #2 idles as there are no powered-on VMs in DR Production. When I initiate failover, there is no need to re-IP the VMs, as they can all use their original IP and mappings, with pfSense #2 as gateway at the DR site. This works great, we test for 1 week/year and actually sustained us through Hurricane Sandy!

    My question is this: Can I do the same thing with one pfSense and 3 interfaces?

    • em0: WAN

    • em1: DR LAN (

    • em2: DR Production (

    I am aware that em2 would need to be disconnected when the IPsec VPN was up, because it has the same IP address as the Sonicwall and would cause routing conflicts. Once the IPsec VPN was disabled, would I have routing issues after enabling em2? After running on em2 and then disabling it, would I have routing issues after I brought back the tunnel?

    THX in advance!

Log in to reply