PfSense CARP and Switch Redundancy

  • Hi,

    we have a CARP setup with our own built "cheap" hardware with 4 network interfaces on each box for WAN,LAN,DMZ,GUESTWLAN.
    For our uplink we have one switch, which connects the WAN link of the two pfSense nodes and the two lines of the provider.
    The fiber uplink line is major and the other sdsl line is backup (one gateway VRRP-IP from the provider).
    The only single point of failure is the uplink switch which brings it all together.

    So my question is:
    What are the solutions with pfSense to get rid of this single point of failure?
    Two network cards for the uplink with bonding with LAGGS and two switches?
    Are there any other solutions without two network cards for the problem?


  • Rebel Alliance Developer Netgate

    LAGG/LACP and multiple switches is the standard way to address that level of redundancy.

    You could lagg ALL your ports together (or make two groups of two: one pair internal, one pair external) and use VLANs to segment internal traffic, or any similar combination.

    You could also have one switch on the primary, one switch on the secondary, and then something linking those switches together upstream, but it's not as robust as LAGG/LACP.

  • Thanks for your reply, the "VLAN" thing would be one alternative without an additional network card… but at the moment we do not have any VLANS and no switches which support VLANS.
    Meanwhile I have contacted our provider: the only possibility with our line solution are two network interfaces and two switches for WAN access.
    Every provider line(Router) is connected to a MASTER and a BACKUP switch. The switches are connected together.
    Because we also use cheap switches the solution for us is to use the LAGGS in pfsense (we already have them configured because of CARP and pfsync).  So we will use a second network interface in the LAGG in failover mode for WAN access and both pfsense nodes are connected to both switches.
    The only problem is to get some old supported PCI dual network cards... because the hardware is ancient  ;D
    I found this old compatibility list  ....

Log in to reply