2 x Wan, 2 x PFSense, 2 x Switches…Is this possible?
-
Hi Guys,
I am looking for a fully redundant pfsense solution. Hopefully the diagram will do all the talking!
Basically we want redundancy all the way down to the NICs, the system will have multiple VLANs, (15+), two WAN feeds, 2 x 2950 switches and 2 x PFSense systems.
The NICs will use bonding and teaming (for a bunch of Linux and Windows servers) across the two switches, and I am hoping to use lagg( ???) to trunk the 6 firewall ports to each switch.
Now ideally I would want active-active clustering of the firewalls to provide some sort of load balancing across the network, but as far as I know this is not possible?
I hope to start testing tomorrow, but I would really appreciate any input from the community on how to achieve this :D.
-
The diagram is sound. That's nearly identical to how I have configured similar deployments for some of our support customers. At a glance, looks good.
lagg support is only in 2.0. It could be back ported if you're so inclined, or we'd be glad to do so for a price. Email me if you're interested (cmb at pfsense dot org).
What I've done to make up for lack of port bonding on 1.2.x is just have one firewall plugged into each switch, which leaves you with nearly the same redundancy. If you want to go all the way with lagg though, that can be accomplished.
-
Hi CMB,
Thanks for the reply, but surly lagg can be achieved from a kernel level? PFSense will just see 1 LAN interface, and the kernel can deal with the bonding and 802.3ad?
I really don't have a lot of money to spend on this project, but I will email you for sure if I end up chasing my tail. I have two DL360s arriving tomorrow for the pfsense boxes, should be able to start testing then.
Just thinking out loud…if I do manage to get lagg working on a kernel level, would it be possible to connect 3 NICs to switch 1 and the remaining 3 to switch 2 and vice-versa for the second firewall? Obviously the VLANs and Etherchannels would need to be the same across the two switches but wouldn't that setup provide load balancing even with the firewalls being active-passive?
-
You'll have to make some minor code changes to be able to assign lagg interfaces. The creation and setup of lagg can be hacked in manually.