Possible scenario? multi WAN, high availability without VIP

  • I currently have 2 WAN connections to one pfsense box and it works great. I'm trying to add another one for failover, and I'd like to be a little more educated about this before I implement this. Currently, I have 2 internet lines from the same ISP, with 3 dynamic public IP each (assigned by DHCP of IPS).

    I read the documentation, and it looks like I'll need 3 public IP for each box (two for the WAN and one for sync). Is it possible to configure both pfsense box to have 2 WAN without using CARP virtual IP? What's the purpose of converting a public IP into a VIP?

    I currently only use up 1 (of 3 available) public IP for WAN, and one public IP for my test environment. Since there are only 3 available, is it possible I still reserve one for my test environment? Or do I need to use up all 3 for the high availability setup?

  • LAYER 8 Netgate

    You cannot do HA with DHCP period.

    You would have to have something that would do the DHCP in front of pfSense, with a private network behind it and do HA routers there.

    You would do this for each WAN.

    Talk to your ISP about getting a couple /29s instead of that DHCP stuff.  Or at least static IP addresses on each.

    You do not necessarily have to have three public IP addresses any more (with some caveats about the current backup unit being unable to make connections from the firewall itself like for DNS and checking for updates) but the public IP address cannot be assigned DHCP or PPPoE. A public IP address for each WAN interface plus at least one for the CARP VIP (3 total) is certainly preferred.

  • Thank you for this info! When I read through the documentation, I didn't see anywhere that says it's not possible to do HA with dynamic IP addresses assigned by the ISP's DHCP. Is there a reason as to why this is not possible?

    Although it's a dynamic public IP and can change any time, it never actually changes unless the machine has been off for a few days and I refresh (release/renew IP inside the pfesense interface menu). There also seems to be a different gateway for each new public IP.

    The reason why we have dynamic IP instead of static is because purchasing static IPs costs 5x as much as dynamic. So all hope is lost for HA if I don't convert these dynamic IPs to static IPs?

  • Derelict, as a workaround, is it possible for me to put a pfsense box solely to provide DHCP to the real pfsense box that the rest of the network uses?

    I added a diagram. The "pfsense-alpha" (purple) takes the WAN from ISP, and provides 3 LAN IP, which the real "pfsense-1" (orange) uses as it's WAN. Please let me know if the proposed setup in the diagram is possible, or if anything else fundamentally wrong with this setup:

  • LAYER 8 Netgate

    If you were to treat the WANs like Milti-WAN and only failover the LAN side that might work. No cool failover like OpenVPN servers or anything else outside-facing. And state sync would be a waste of time. You'd have to be careful about XMLRPC sync too. It'd only take a little bit longer to build it on the bench than it did to draw that diagram. :)

  • Just a quick curiosity question: is there a technical reason why DHCP from the IPS won't work for pfsense High Availability? Is it because all the public IP must have the same gateway for each IPS line? I purchased the pfsense book through the gold subscription, and this was not mentioned anywhere.

  • LAYER 8 Netgate

    Because CARP VIPs are static and those are the addresses that "swing" over to the secondary in the event of a failure. This means that Layer 3 stays intact for states, routes, client gateways, DNS servers, etc.

Log in to reply