Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HA configuration and making use of /24 IP range

    General pfSense Questions
    2
    6
    4.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      purathal
      last edited by

      Hi,

      I am planning to buy one of the following HA systems and I have the following question.

      HIGH AVAILABILITY SG-4860 1U pfSense® Systems
      <or>HIGH AVAILABILITY XG-2758 1U pfSense® Systems

      I will be getting a dual uplink (WAN) connections from my provider and each connection comes with its own /29 external IPv4. Dual connections for both load-balancing and redundancy purposes.

      I will also be allocated with /24 external IPv4 pool which will be used primarily as described below.

      Here is how I plan to use it (because I plan to purchase a High Availability system you see two connections described below)

      pfSense 1 -> layer 2 switch A -> Multiple Servers with their NIC configured for external IPv4 assigned (IPs from the above /24 pool).

      pfSense 2 -> layer 2 switch B -> Multiple Servers with their NIC configured for external IPv4 assigned (IPs from the above /24 pool).

      As you can see in the above example, all servers MUST have external (public) IPs assigned to them. There is no requirement to use any private class IPs anywhere.

      Also, all IPs we plan to use on the servers will be from /24 pool that will be allocated to us separately.

      Am I able to accomplish the above with the afore-mentioned devices? How would I go about configuring them to work for the model I described above? Please feel free to let me know if I should take another approach to get the above done.

      Thanks.</or>

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        My initial question is how you and the provider are going to route the /24 over one WAN or the other. Other than that it all sounds pretty straightforward.

        pfSense HA is active/standby, not active/active. You would be using both WANs on one node and if a problem develops there everything swings to the other.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • P
          purathal
          last edited by

          @Derelict:

          My initial question is how you and the provider are going to route the /24 over one WAN or the other. Other than that it all sounds pretty straightforward.

          pfSense HA is active/standby, not active/active. You would be using both WANs on one node and if a problem develops there everything swings to the other.

          This setup will be placed in a data center and the upstream provider will be the same for both WAN connections (so I suppose you could say multiple WAN is used for load-balancing than the redundancy).

          1. Please advise what the best practice should be in order to route /24 for the above setup.

          2. if pfSense HA is active/standby and both WANS connect to one node, does it mean a person has to physically disconnect the WAN cables from the main node and connect them to standby node when failing over?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            I wouldn't have two WANs on each HA node to the same provider in a datacenter for redundancy. I would LACP two ports into one WAN on each node to the provider's redundant switches for redundancy in that situation. Behind that they should have redundant routers like you are considering installing.

            You could also do your own redundant switching in the cabinet, put an LACP to each HA node (four ports) and one LACP to the provider's switch stack (2 ports). That would likely be more economical over time than 4 cross-connects to four provider switch ports. Especially since you could then do redundant layer 2 to other assets in the cabinet that support it.

            If all that is in place I would want at least a /29 from the provider for the WAN interfaces/CARP with the /24 routed to the CARP address there.

            What you can do is really up to the provider and what they offer, not you. Find out what they recommend/can do and post what they say.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • P
              purathal
              last edited by

              @Derelict:

              You could also do your own redundant switching in the cabinet, put an LACP to each HA node (four ports) and one LACP to the provider's switch stack (2 ports). That would likely be more economical over time than 4 cross-connects to four provider switch ports. Especially since you could then do redundant layer 2 to other assets in the cabinet that support it.

              Thank you! I will check with the provider to see what they offer and recommend.

              Meanwhile, can you please elaborate more on the above setup?

              I rather stick with getting 2 cross-connects compare to 4 cross-connects. You said "put an LACP to each HA node (four ports) and one LACP to the provider's switch stack (2 ports)" - Shouldn't it be "LACP to each HA node (2 ports)"? Provided I only have 2 cross-connects?

              How many Layer 2 switches do I need for the above-described setup to work?

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                LACP to each HA node (4 ports)

                4 ports total two from each HA node, one each to each switch.

                You will chew up switch ports quickly.

                Then you need to decide how to configure the LAN side.

                You need at least two switches, stacked, or using some other technology that allows them to make LACP groups with ports on each switch (Multi-Chassis trunking, or whatever your vendor calls it. At this scale, stacking is likely your best bet).

                You can also use Spanning Tree and something like this without going to LACP:

                https://portal.pfsense.org/docs/book/highavailability/layer-2-redundancy.html

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.