2 firewalls and 2 internet connections (VDSL/LTE)

  • I have a working pfSense (VM in Hyper-V) setup connected to a VDSL line.

    I now bought an LTE router as a fallback in case the VDSL line fails.

    At first I wanted to connect the LTE router to the same pfSense box as an internet line fallback, but now I wonder:

    1. Does it make sense to create a second pfSense VM on another machine, and also create a LAN and WAN (LTE) there? (VMs with 1GB of RAM and ~20GB of HD are rather easy to come by and cheap to have permanently turned on.)

    2. Could I then always route absolutely all traffic over the first VM (VDSL) and only use the 2nd VM (LTE) in case of the first failing?

    3. Is this a CARP scenario?

    4. Also, can I still use both VMs as gateways, so that (LTE is faster than VDSL, but metered) in case of need for speed I can also voluntarily switch a PC in the LAN to use the 2nd VM (LTE)?

    5. Also, can you tell me where to start searching? CARP, failover, load balancing, multi WAN are all buzz words I have seen but I do not know which apply to my case so I can continue reading there.


  • Hi andipandi,

    I'll try to answer some of your questions, based on my experience (forum people, please correct me if I'm wrong):

    1. I would set up another server, but just in case I would like to set up some redundancy (High Availability - HA).

    2. Yes, it's possible - it's a gateway group configuration with layers

    3. CARP it's a mechanism to provide failover functionality / redundancy - you would need to have two pfSense boxes in HA to get its advantages ( https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP) )

    4. You can do it, but I think you would need to change this manually (just changing gateway group layers) - not sure if there's any way to do this on a different way

    5. It depends on what you would like to set up first:
      a) MultiWAN setup on just one box –> https://doc.pfsense.org/index.php/Multi-WAN
      b) CARP setup with MultiWAN --> mix together link on point 3) and the previous one from 5a)



  • Hello David,

    many thanks for answering!

    It's still a little bit abstract for me, so I think I will 1st configure the existing firewall to also have LTE access fallback and then look into the failover.

    I will probably follow up with some more specific questions.


Log in to reply