Failover pfSense with failover WAN

emot

Hi,

We are building are new racks and would like to have the current solution:

2 WAN lines from ISP (for failover)
2 pfSense firewalls (for failover) with about 10-15 public IPs (WAN interface) and 5 vlans-default gw ip (LAN interface).
2 switches (stacked, virtualised)
10 servers for virtualisation running in several vlans, using pfsense LAN_vlan as default gw.

The idea is:

• If one of the pfsense goes down, the other one will take over, via CARP.
• If one of the WAN lines from ISP goes down, the other one is used.

I'm not sure what the best setup for this is:

• WAN from ISP directly to each firewall. When firewall or WAN cable goes down, the other firewall will take over?
• Each WAN cable to each switch, each Firewall to each switch.

ISP mentioned BGP, but I'm not sure how it falls in this setup.

Any adviced/help?

thanks!

chc-pr

Wow, 50 reads an no response.  Is this because no-one knows or becasue it is not possible.  I am looking to do something similar, not quite so big, but two WANS with failover and two firewalls with failover.  Anyone??

JeGr

If you can get your ISP to deliver you two separate uplinks with different IPs (transfer networks), go for it and do each-to-each. So setup would look like:

pfSense 1/2:

• WAN1
• WAN2
• SYNC
• LAN (trunk for VLANs)

Depending on what you get from your ISP, get the Uplinks to separate switches and connect each firewall to them. We got a pair for each uplink (active/standby) from our ISP for each of the two uplinks and configured them like a big double-H:

ISP-active-line connected to switch 1
ISP-backup-line connected to switch 2
switch 1 connected to switch 2
firewall 1 connected to switch 1
firewall 2 connected to switch 2

rinse & repeat for the second WAN uplink pair. This configuration lets you stay connected on WAN-Uplink-1 even if it switches from active to standby on the ISP side (through the sw1-sw2 interconnect). In case one of the small switches burn down, fw2 can still do wan-uplink-1 via the standby connection. if wan1 is gone completely (via gateway checks) the whole thing can switch over to WAN2 (failover gateway group).

So yes, it is possible. But depends on what you want/get from your ISP and how far you want to rely on which components.

jimp

Each node must be connected to the same WAN. If the ISP delivers two lines on the same subnet/circuit/L2/etc, then maybe they might be willing to do something like LACP depending on what the transport supports. If they can do LACP, and you have enough NICs on the firewalls, you can do that too. If it's two separate subnets, then use the Multi-WAN style JeGr mentioned.

@chc-pr:

Wow, 50 reads an no response.  Is this because no-one knows or becasue it is not possible.

Please stop making posts like this. The view count of a thread is practically meaningless, it does not indicate anything more than how many times the server showed the thread to some device. You don't know how many of those were bots, search engine crawlers, or people who couldn't tell what the post was from the title and clicked off it after reading.

chc-pr

Sorry, did not meant to cause offense.  I had not considered the bot issue because responses always seem to come back so quickly.  Your point well made.  I was merely expressing surprise not complaining or anything else but I can see how my meaning was easily misconstrued.