Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Possible scenario? multi WAN, high availability without VIP

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    7 Posts 2 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AxSD
      last edited by

      I currently have 2 WAN connections to one pfsense box and it works great. I'm trying to add another one for failover, and I'd like to be a little more educated about this before I implement this. Currently, I have 2 internet lines from the same ISP, with 3 dynamic public IP each (assigned by DHCP of IPS).

      I read the documentation, and it looks like I'll need 3 public IP for each box (two for the WAN and one for sync). Is it possible to configure both pfsense box to have 2 WAN without using CARP virtual IP? What's the purpose of converting a public IP into a VIP?

      I currently only use up 1 (of 3 available) public IP for WAN, and one public IP for my test environment. Since there are only 3 available, is it possible I still reserve one for my test environment? Or do I need to use up all 3 for the high availability setup?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You cannot do HA with DHCP period.

        You would have to have something that would do the DHCP in front of pfSense, with a private network behind it and do HA routers there.

        You would do this for each WAN.

        Talk to your ISP about getting a couple /29s instead of that DHCP stuff.  Or at least static IP addresses on each.

        You do not necessarily have to have three public IP addresses any more (with some caveats about the current backup unit being unable to make connections from the firewall itself like for DNS and checking for updates) but the public IP address cannot be assigned DHCP or PPPoE. A public IP address for each WAN interface plus at least one for the CARP VIP (3 total) is certainly preferred.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • A
          AxSD
          last edited by

          Thank you for this info! When I read through the documentation, I didn't see anywhere that says it's not possible to do HA with dynamic IP addresses assigned by the ISP's DHCP. Is there a reason as to why this is not possible?

          Although it's a dynamic public IP and can change any time, it never actually changes unless the machine has been off for a few days and I refresh (release/renew IP inside the pfesense interface menu). There also seems to be a different gateway for each new public IP.

          The reason why we have dynamic IP instead of static is because purchasing static IPs costs 5x as much as dynamic. So all hope is lost for HA if I don't convert these dynamic IPs to static IPs?

          1 Reply Last reply Reply Quote 0
          • A
            AxSD
            last edited by

            Derelict, as a workaround, is it possible for me to put a pfsense box solely to provide DHCP to the real pfsense box that the rest of the network uses?

            I added a diagram. The "pfsense-alpha" (purple) takes the WAN from ISP, and provides 3 LAN IP, which the real "pfsense-1" (orange) uses as it's WAN. Please let me know if the proposed setup in the diagram is possible, or if anything else fundamentally wrong with this setup:

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              If you were to treat the WANs like Milti-WAN and only failover the LAN side that might work. No cool failover like OpenVPN servers or anything else outside-facing. And state sync would be a waste of time. You'd have to be careful about XMLRPC sync too. It'd only take a little bit longer to build it on the bench than it did to draw that diagram. :)

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • A
                AxSD
                last edited by

                Just a quick curiosity question: is there a technical reason why DHCP from the IPS won't work for pfsense High Availability? Is it because all the public IP must have the same gateway for each IPS line? I purchased the pfsense book through the gold subscription, and this was not mentioned anywhere.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Because CARP VIPs are static and those are the addresses that "swing" over to the secondary in the event of a failure. This means that Layer 3 stays intact for states, routes, client gateways, DNS servers, etc.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.