Dual remote access on the same network (from 2 WAN)



  • I would like to create a failover access for a connecting a network (with IPMI Server interfaces). The devices on this network only have basic network configuration options (only one IP/Subnet, and only one configurable gateway, no static routes), so the IPMI is configured with the pfSense1 IP as the main gateway.

    WAN1 ------- pfSense1 ------- LAN (192.168.0.1)
                                                        |
                                                    Network_Switch ------ IPMI (192.168.0.10 (gateway set to 192.168.0.1)
                                                        |
    WAN2 ------- pfSense2 ------- LAN (192.168.0.2)

    The real connection is done through a VPN remote connection from WAN1 (and WAN2), so there are some additional subnets (VPN subnets)

    But in that configuration, the device cannot communicate with the WAN2 access, as it cannot find any "returning route" (the traffic is sent back through pfSense1 and not pfSense2). Please not that the returning route should also work in the case pfSense1 is temporarily down.

    I would say some workarounds would be :

    • having the VPN2 (through WAN2) user appear directly on the 192.168.0.0/24 network, so the "returning route" is not sent through the gateway (same network).
    • maybe having a configuration directly on the switch ?

    What is the best practice in that case ?



  • Hello there! May you elaborate more on your use case. the more details you post the more likely you will get a better response



  • Sorry, I thought it was pretty straight forward as I put a network diagram, but maybe not.

    Some additional information :

    • During normal operation, IPMI is talking through the gateway 192.168.0.1
    • The idea is keep IPMI able to be remotely connected even when the gateway 192.168.0.1 is dead / offline
    • IPMI can of course talk to pfsense2 (192.168.0.2) as it's on the same network
    • There is no way to add a static route on IPMI device (otherwise it should work by setting a route to the VPN subnet handled by pfsense2)

    Maybe a workaround could be having the VPN connection having an IP directly on the 192.168.0.X subnet ?



  • Hello there! But why did you suggest to use VPN? According to your setup you can use CARP for fail over and that still achieves your mentioned requirements. IPMI should use a virtual IP so that if one of your pfsense boxes fail the other one talks over. And under normal condition IPMI should use "192.168.0.1" or whatever gateway you would like it to use. Kindly let me know your thoughts about the suggestion.



  • Actually I was suggesting using VPN because it's the whay IPMI is accessed (it's a remote site), but it can be confusing.

    I never used CARP, so I did not think about it! So thank you, and I've read quickly about it, and if I understand well, for example :

    • pfSense1 would have a real interface IP 192.168.0.1, and a CARP Shared Virtual IP Address set to 192.168.0.254, with a skew set to 0
    • pfSense2 would have a real interface IP 192.168.0.2 and a CARP Shared Virtual IP Address set to 192.168.0.254, with a skew set to 100
    • The IPMI would be setup to use 192.168.0.254 as gateway
    • The traffic would by default be sent to the lower skew value interface (pfSense1 in that case)

    Correct ?

    This would be perfect for accessing IPMI through pfSense2 if pfSense1 fails, but would it also work to access through pfSense2 when pfSense1 is still online / working ? (does the CARP protocol knows to which gateway it should send the traffic back ?)



  • Yes! It can be accessed if you configure your routes and related settings the proper way. Usually running pfsense with CARP, both of the boxes will be "identical" in the required configuration. Thus, regardless of which pfsense box you are using, both of them are identical.