Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Failover pfSense with failover WAN

    HA/CARP/VIPs
    4
    5
    1658
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      emot last edited by

      Hi,

      We are building are new racks and would like to have the current solution:

      2 WAN lines from ISP (for failover)
      2 pfSense firewalls (for failover) with about 10-15 public IPs (WAN interface) and 5 vlans-default gw ip (LAN interface).
      2 switches (stacked, virtualised)
      10 servers for virtualisation running in several vlans, using pfsense LAN_vlan as default gw.

      The idea is:

      • If one of the pfsense goes down, the other one will take over, via CARP.
      • If one of the WAN lines from ISP goes down, the other one is used.

      I'm not sure what the best setup for this is:

      • WAN from ISP directly to each firewall. When firewall or WAN cable goes down, the other firewall will take over?
      • Each WAN cable to each switch, each Firewall to each switch.

      ISP mentioned BGP, but I'm not sure how it falls in this setup.

      Any adviced/help?

      thanks!

      1 Reply Last reply Reply Quote 0
      • C
        chc-pr last edited by

        Wow, 50 reads an no response.  Is this because no-one knows or becasue it is not possible.  I am looking to do something similar, not quite so big, but two WANS with failover and two firewalls with failover.  Anyone??

        1 Reply Last reply Reply Quote 0
        • JeGr
          JeGr LAYER 8 Moderator last edited by

          If you can get your ISP to deliver you two separate uplinks with different IPs (transfer networks), go for it and do each-to-each. So setup would look like:

          pfSense 1/2:

          • WAN1
          • WAN2
          • SYNC
          • LAN (trunk for VLANs)

          Depending on what you get from your ISP, get the Uplinks to separate switches and connect each firewall to them. We got a pair for each uplink (active/standby) from our ISP for each of the two uplinks and configured them like a big double-H:

          ISP-active-line connected to switch 1
          ISP-backup-line connected to switch 2
          switch 1 connected to switch 2
          firewall 1 connected to switch 1
          firewall 2 connected to switch 2

          rinse & repeat for the second WAN uplink pair. This configuration lets you stay connected on WAN-Uplink-1 even if it switches from active to standby on the ISP side (through the sw1-sw2 interconnect). In case one of the small switches burn down, fw2 can still do wan-uplink-1 via the standby connection. if wan1 is gone completely (via gateway checks) the whole thing can switch over to WAN2 (failover gateway group).

          So yes, it is possible. But depends on what you want/get from your ISP and how far you want to rely on which components.

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            Each node must be connected to the same WAN. If the ISP delivers two lines on the same subnet/circuit/L2/etc, then maybe they might be willing to do something like LACP depending on what the transport supports. If they can do LACP, and you have enough NICs on the firewalls, you can do that too. If it's two separate subnets, then use the Multi-WAN style JeGr mentioned.

            @chc-pr:

            Wow, 50 reads an no response.  Is this because no-one knows or becasue it is not possible.

            Please stop making posts like this. The view count of a thread is practically meaningless, it does not indicate anything more than how many times the server showed the thread to some device. You don't know how many of those were bots, search engine crawlers, or people who couldn't tell what the post was from the title and clicked off it after reading.

            1 Reply Last reply Reply Quote 0
            • C
              chc-pr last edited by

              Sorry, did not meant to cause offense.  I had not considered the bot issue because responses always seem to come back so quickly.  Your point well made.  I was merely expressing surprise not complaining or anything else but I can see how my meaning was easily misconstrued.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense Plus
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy