4. Is some level of HA possible with two different public IP addresses

Is some level of HA possible with two different public IP addresses

  • B

    Hi all,

    Here is a summary of the setup I am trying to leverage:
    0_1533837244229_pfsense-home-setup.png

    As illustrated, my ISP can provide two public IPv4 addressed in different subnets if it is configured in bridge mode and I attached two different devices downstream configured as DHCP clients.

    Based on the two public IP addresses I get on each pfsense, I was wondering the level of HA I could pretend achieving.
    My main point is to have a CARP gateway for the clients on the green LAN so that, whenever I have to do maintenance, I can take pfsense1 down and clients can connect to the internet through pfsense2. When I refer to 'level of HA', I mean that having a glitch in the connectivity is not as critical given the fact it is a home environment. 'Short glitch then connectivity' is >>>>> 'no connectivity'.
    In technical terms:

    • DHCP Server function needs redundancy on the LAN side
    • NAT translations do not need to be sync'ed and technically could not given the configuration

    Then I started thinking about how to leverage the public IP B assigned to pfsense2 for servers in a DMZ like. Mainly setting up a reverse proxy with LetsEncrypt on that Public IP B.

    With all the magic (as I do not fully understand how it works) of synchronization, I am not sure whether I can even have the DMZ interface only existing on pfsense2 as shown below:
    0_1533837790976_pfsense-home-setup-one dmz interface.png

    Since the synchronization has multiple options, I am not entirely whether it is just a matter of selecting a subset of them. My experience has always been with fully redundant setup with CARP up and downstream of the firewalls and full synchronization.

    0_1533840636196_pfsense-xml-options.png

    My questions:

    • is it correct to say that if I do not have a symmetrical configuration, I can just uncheck the box in the sync options to get the rest working?
    • could the secondary firewall act as a secondary for the LAN and just a standard gateway for the DMZ? (I know it should from a routing perspective however with the layer of sync, I am not fully clear on the restrictions)

    Thanks.

    0
  • Netgate

    HA is completely incompatible with dynamic addressing such as DHCP.

    If it is worth setting up HA, it is worth doing right.

    You want a /29 from the provider.

    0
  • B

    I understand you may have a lot of support questions but would you mind answering my actual questions at the bottom if possible?

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy