Is some level of HA possible with two different public IP addresses

  • Hi all,

    Here is a summary of the setup I am trying to leverage:

    As illustrated, my ISP can provide two public IPv4 addressed in different subnets if it is configured in bridge mode and I attached two different devices downstream configured as DHCP clients.

    Based on the two public IP addresses I get on each pfsense, I was wondering the level of HA I could pretend achieving.
    My main point is to have a CARP gateway for the clients on the green LAN so that, whenever I have to do maintenance, I can take pfsense1 down and clients can connect to the internet through pfsense2. When I refer to 'level of HA', I mean that having a glitch in the connectivity is not as critical given the fact it is a home environment. 'Short glitch then connectivity' is >>>>> 'no connectivity'.
    In technical terms:

    • DHCP Server function needs redundancy on the LAN side
    • NAT translations do not need to be sync'ed and technically could not given the configuration

    Then I started thinking about how to leverage the public IP B assigned to pfsense2 for servers in a DMZ like. Mainly setting up a reverse proxy with LetsEncrypt on that Public IP B.

    With all the magic (as I do not fully understand how it works) of synchronization, I am not sure whether I can even have the DMZ interface only existing on pfsense2 as shown below:
    0_1533837790976_pfsense-home-setup-one dmz interface.png

    Since the synchronization has multiple options, I am not entirely whether it is just a matter of selecting a subset of them. My experience has always been with fully redundant setup with CARP up and downstream of the firewalls and full synchronization.


    My questions:

    • is it correct to say that if I do not have a symmetrical configuration, I can just uncheck the box in the sync options to get the rest working?
    • could the secondary firewall act as a secondary for the LAN and just a standard gateway for the DMZ? (I know it should from a routing perspective however with the layer of sync, I am not fully clear on the restrictions)


  • LAYER 8 Netgate

    HA is completely incompatible with dynamic addressing such as DHCP.

    If it is worth setting up HA, it is worth doing right.

    You want a /29 from the provider.

  • I understand you may have a lot of support questions but would you mind answering my actual questions at the bottom if possible?

Log in to reply