Critique my Multi-WAN HA plan

  • My goal is layer 1, 2, and 3 redundancy into the rack for a persistent connection to AWS VPC and from a remote office.  I need to be able to do a transparent failover when losing any one piece of gear

    • 2 power sources, both w/ online UPS

    • 2 ISPs on different medium with 3 Static IPs each

    • 3 5018A-FNT4 systems (2 in rack and one remote), with 2 port GBE cards in the rack units

    • 2 Ubiquity US-48 Switches

    • 2 application servers in rack with dual PSU and dual NIC, each running 4 windows VMs with essential services (redundant, only need one to operate)

    • 1 storage server in rack with dual PSU and dual NIC (running windows server 2016)

    • management interfaces on a separate nic+vlan with a dedicated thin client locally (eventually would like my own vpn into this)

    Everything is racked up, waiting on the statics from the ISPs.  I would appreciate a sanity check on the config!

    specific questions:

    • openVPN, IPSec, or Tinc, or ?? for the tunnels

    • Do I need to trunk the two switches to each other?  Or bridge them through Pfsense?  Or Both?    Wired both for now but not configured.  If one switch goes down, I am ok with losing anything that only has 1 nic (office workstations, ip cameras, etc)

    • Anything I may have completely screwed up on?


  • I was hoping for some input, nobody wants to rip me a new one here?

  • Nice diagram, you obviously put a lot of time into the design. My advice to you is be a bit patient. You're new on the forum and this is your first post. It's been less than 2 days. This is quite a complex setup you're asking about.  People have day jobs.  If you need faster/immediate support, there are lots of options available to you:

  • Thanks for replying!  All good points ;)

    I did get a gold subscription and plan to purchase support as soon as I encounter an issue I can't overcome. The documentation in the book is fantastic, I knew nothing about pfsense a couple weeks ago.  Dropping right into a multi-wan HA setup is probably not the smoothest way in, but so far, things are working as documented.


Log in to reply