Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    I'm told only Cisco can do this.....

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    18 Posts 6 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      edlentz
      last edited by

      We are bidding on a network and the customer wants :

      A.: HA at a main office site
      B: Main site will also need dual WAN with failover as well as HA.

      With the right boxes can PFSense do this? We are willing to pay to have them setup and to be trained on maintenance on the routers. We will also have 10 other locations that will need Dual WAN with failover routers as well. I am coming into this late but there might even be a VPN connection between the remote sites and the main office.

      Thanks for any help in this

      C 1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        As long as both WANs are CARP-compatible (at least three public addresses and no layer 2 shenanigans. Pretty much the same criteria for Ciscos.) it should be fine.

        Try it in the lab. Unlike Cisco it don't cost nothin'.

        https://www.pfsense.org/download/

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 1
        • JeGrJ
          JeGr LAYER 8 Moderator
          last edited by

          As long as the IP side is covered like @Derelict said, I see no big problems with having a HA-setup (aka cluster) and Dual WAN. Have multiple customers running such a setup on their main-office/headquarter site and having VPN tunnels to their branch offices (mostly single boxes but some of them clusters, too). Unlike Cisco though, with the right hardware and a bit of architecture and ahead-thinking (and dual WAN setups), one can also make them use failover VPN tunnels or even load balancing over VPN tunnels (with e.g. OpenVPN & OSPF).

          So I'm with @Derelict in "try in a lab" - or consult a pfSense partner or the Netgate team with details to help you get a feel (and pricepoint).

          Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

          1 Reply Last reply Reply Quote 1
          • E
            edlentz
            last edited by

            Thanks Guys I appreciate your remarks!! I will give the "Try it in the lab" if I can get enough hardware :)

            Have a great weekend!

            1 Reply Last reply Reply Quote 0
            • RicoR
              Rico LAYER 8 Rebel Alliance
              last edited by

              You don't need much hardware, for some lab experience a virtualized pfSense environment should do fine.

              -Rico

              1 Reply Last reply Reply Quote 1
              • C
                cmhddti @edlentz
                last edited by

                @edlentz I have two pfSense boxes running CARP HA with two ISPs, so I can guarantee it's possible. We also have two core switches behind them and two LAN interfaces configured as a failover LAGG, so either switch can fail in the setup, too. You need lots of interfaces, though. We have five physical NICs in use. (One for each ISP, one coming out the back for each switch, and one interface each for the SYNC interface.) We segment the traffic with VLANs, so each cluster member has nine different addresses.

                You can do some wonderfully complicated, yet extremely functional things with pfSense.

                1 Reply Last reply Reply Quote 1
                • JeGrJ
                  JeGr LAYER 8 Moderator
                  last edited by

                  @cmhddti said in I'm told only Cisco can do this.....:

                  You need lots of interfaces, though.

                  Or ~2-3 normal Gigabit links for WAN1/2/Sync
                  1-2 10G links so you run all your local networks as VLANs ;) That way you're down to ~4-5 interfaces (sync could run as VLAN, too).

                  ๐Ÿ˜

                  Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                  If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                  1 Reply Last reply Reply Quote 1
                  • E
                    edlentz
                    last edited by

                    Thanks guys I am a believer now. I have been reading the manual. Do you guys DIY your boxes or do you buy prebuilt?

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by johnpoz

                      I sure wouldn't put some DIY box into a customer location.. Buy actual Netgate appliance..

                      They have a range of price points that should allow you to fill any need for performance at your budget.

                      Could be cheap as sg1100, or a pair of them for HA ;) Or something as high end as XG-1541-HA, and if you really need to push packets.. Don't forget the new TNSR options.

                      There is one thing if you doing it in your home, or your "own" location... Its another when you going to rack it one of your customers locations.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • E
                        edlentz
                        last edited by

                        Yeah I wasn't planning on a DIY for my customer. Just asking. Off topic question. Intitially I did a search for pfSense and there were some Ubiquiti links in the search response. Does Ubiquiti use pfSense in some manner?

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by johnpoz

                          No unifi doesn't use pfsense, but many fans of pfsense use unifi AP.. Since the wireless support in freebsd, and therefore pfsense is some what lacking... Unifi AP are a good option for adding wireless to your network..

                          You will find talk of unifi AP here on pfsense, and as well many mentions of pfsense over on the unifi forums...

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • E
                            edlentz
                            last edited by

                            I have installed a few of the Unifi APs and really like their setup and price point. AND the fact that they just work is good also. We have used simpleWAN routers in the past and growing tired of the licensing and the fees involved. The Unifi clould key is something we are looking into. Is there a similar device or method for setting up a pfSense box and managing it from the cloud?

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by johnpoz

                              While in the past there has been talk of "central" management sort of stuff... Have not seen anything mentioned about it or even hinted at recently that I recall..

                              The cloud backup feature is somewhat recent addition... So you never know what great surprises the netgate/pfsense team has in the works..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • E
                                edlentz
                                last edited by

                                I just was on reddit and was reading about the central management or the lack thereof. The cloud backup is a great idea. I am sure it will come, it seems evertyhing is in the cloud these days anyway. I am also sure it isn't an easy thing to accomplish.

                                1 Reply Last reply Reply Quote 0
                                • RicoR
                                  Rico LAYER 8 Rebel Alliance
                                  last edited by

                                  No need of any cloud crap is one if the big points why I use/love pfSense. ;-)

                                  -Rico

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    To be honest I see little reason for "cloud" management of your firewalls. There are a bajillion other things they could be working on vs adding cloud management that is for damn sure ;)

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 1
                                    • JeGrJ
                                      JeGr LAYER 8 Moderator
                                      last edited by

                                      Remote/on premise management is a big thing with network equipment. It's not only the shiny boxes and high price tags that make Cisco and Co shine. I had a client that'd loved to run pfSense but lack of central management was a no go. With >100 "borders" where they'd have to deploy border gateways running every one of them standalone is simply not possible (also sharing/backing up configurations and deploying multiples of one).

                                      But as TNSR does have the management capabilities I'm hopeful that going forward after 2.5 there'll be some progress on that front. insert wishful thinking here ;)

                                      Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                                      If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                      1 Reply Last reply Reply Quote 0
                                      • RicoR
                                        Rico LAYER 8 Rebel Alliance
                                        last edited by

                                        Yep I'd like to see central management for my pfSense boxes too.
                                        But self hosted, not somewhere in the Internet aka Cloud.
                                        So you have all this fancy stuff with HA, MultiWAN and so on...unable to control anything because the central portal is down? Only marketing guys can think of this shit putting Firewall management in the Cloud. ๐Ÿ˜‚

                                        -Rico

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.