2 WAN on same subnet: one for production one for backup

  • Hello,

    I run a pfSense box where WAN interface is set to x.x.x.160/29 network with x.x.x.161 being the gateway (from ISP) and x.x.x.166 being the pfSense WAN address. I also run Snort package on that pfSense box on WAN interface with auto-blocking feature enabled.

    At least once, when I was working from home with a LAN managed by that pfSense box, something triggered Snort rule and my Home IP address was blacklisted by Snort so I lost connectivity to the LAN and WAN sides of pfSense. I managed to connect to pfSense from a 4G smartphone (something from outside my Home NAT network) and remove a record in snort2c table under Diagnostics/Tables so connectivity from my Home network was recovered. I then suppressed a few Snort rules to avoid that same behavior in the future.

    I then started wondering about possibility to have a separate WAN interface on pfSense, say with x.x.x.162 (which I have permission to use) so that "Backup WAN" wouldn't be used neither for accessing LAN nor will be restricted by Snort. The whole purpose of such interface would be to allow connection from a Snort-blocked network to remove a record in snort2c table (see above).

    I allocated one of the NICs on pfSense box for that purpose and created interface with x.x.x.162/29 address. I specified the same gateway as in main WAN, i.e. x.x.x.161, but when I attempted to save configuration, an error message stating that overlapping network cannot be used appeared.

    My question: does my solution make sense or there exist some other, "correct" approach to implement a backup WAN interface.

    Thank you.