HA configuration and making use of /24 IP range



  • Hi,

    I am planning to buy one of the following HA systems and I have the following question.

    HIGH AVAILABILITY SG-4860 1U pfSense® Systems
    <or>HIGH AVAILABILITY XG-2758 1U pfSense® Systems

    I will be getting a dual uplink (WAN) connections from my provider and each connection comes with its own /29 external IPv4. Dual connections for both load-balancing and redundancy purposes.

    I will also be allocated with /24 external IPv4 pool which will be used primarily as described below.

    Here is how I plan to use it (because I plan to purchase a High Availability system you see two connections described below)

    pfSense 1 -> layer 2 switch A -> Multiple Servers with their NIC configured for external IPv4 assigned (IPs from the above /24 pool).

    pfSense 2 -> layer 2 switch B -> Multiple Servers with their NIC configured for external IPv4 assigned (IPs from the above /24 pool).

    As you can see in the above example, all servers MUST have external (public) IPs assigned to them. There is no requirement to use any private class IPs anywhere.

    Also, all IPs we plan to use on the servers will be from /24 pool that will be allocated to us separately.

    Am I able to accomplish the above with the afore-mentioned devices? How would I go about configuring them to work for the model I described above? Please feel free to let me know if I should take another approach to get the above done.

    Thanks.</or>


  • Netgate

    My initial question is how you and the provider are going to route the /24 over one WAN or the other. Other than that it all sounds pretty straightforward.

    pfSense HA is active/standby, not active/active. You would be using both WANs on one node and if a problem develops there everything swings to the other.



  • @Derelict:

    My initial question is how you and the provider are going to route the /24 over one WAN or the other. Other than that it all sounds pretty straightforward.

    pfSense HA is active/standby, not active/active. You would be using both WANs on one node and if a problem develops there everything swings to the other.

    This setup will be placed in a data center and the upstream provider will be the same for both WAN connections (so I suppose you could say multiple WAN is used for load-balancing than the redundancy).

    1. Please advise what the best practice should be in order to route /24 for the above setup.

    2. if pfSense HA is active/standby and both WANS connect to one node, does it mean a person has to physically disconnect the WAN cables from the main node and connect them to standby node when failing over?


  • Netgate

    I wouldn't have two WANs on each HA node to the same provider in a datacenter for redundancy. I would LACP two ports into one WAN on each node to the provider's redundant switches for redundancy in that situation. Behind that they should have redundant routers like you are considering installing.

    You could also do your own redundant switching in the cabinet, put an LACP to each HA node (four ports) and one LACP to the provider's switch stack (2 ports). That would likely be more economical over time than 4 cross-connects to four provider switch ports. Especially since you could then do redundant layer 2 to other assets in the cabinet that support it.

    If all that is in place I would want at least a /29 from the provider for the WAN interfaces/CARP with the /24 routed to the CARP address there.

    What you can do is really up to the provider and what they offer, not you. Find out what they recommend/can do and post what they say.



  • @Derelict:

    You could also do your own redundant switching in the cabinet, put an LACP to each HA node (four ports) and one LACP to the provider's switch stack (2 ports). That would likely be more economical over time than 4 cross-connects to four provider switch ports. Especially since you could then do redundant layer 2 to other assets in the cabinet that support it.

    Thank you! I will check with the provider to see what they offer and recommend.

    Meanwhile, can you please elaborate more on the above setup?

    I rather stick with getting 2 cross-connects compare to 4 cross-connects. You said "put an LACP to each HA node (four ports) and one LACP to the provider's switch stack (2 ports)" - Shouldn't it be "LACP to each HA node (2 ports)"? Provided I only have 2 cross-connects?

    How many Layer 2 switches do I need for the above-described setup to work?


  • Netgate

    LACP to each HA node (4 ports)

    4 ports total two from each HA node, one each to each switch.

    You will chew up switch ports quickly.

    Then you need to decide how to configure the LAN side.

    You need at least two switches, stacked, or using some other technology that allows them to make LACP groups with ports on each switch (Multi-Chassis trunking, or whatever your vendor calls it. At this scale, stacking is likely your best bet).

    You can also use Spanning Tree and something like this without going to LACP:

    https://portal.pfsense.org/docs/book/highavailability/layer-2-redundancy.html