I'm told only Cisco can do this.....

  • We are bidding on a network and the customer wants :

    A.: HA at a main office site
    B: Main site will also need dual WAN with failover as well as HA.

    With the right boxes can PFSense do this? We are willing to pay to have them setup and to be trained on maintenance on the routers. We will also have 10 other locations that will need Dual WAN with failover routers as well. I am coming into this late but there might even be a VPN connection between the remote sites and the main office.

    Thanks for any help in this

  • LAYER 8 Netgate

    As long as both WANs are CARP-compatible (at least three public addresses and no layer 2 shenanigans. Pretty much the same criteria for Ciscos.) it should be fine.

    Try it in the lab. Unlike Cisco it don't cost nothin'.


  • LAYER 8 Moderator

    As long as the IP side is covered like @Derelict said, I see no big problems with having a HA-setup (aka cluster) and Dual WAN. Have multiple customers running such a setup on their main-office/headquarter site and having VPN tunnels to their branch offices (mostly single boxes but some of them clusters, too). Unlike Cisco though, with the right hardware and a bit of architecture and ahead-thinking (and dual WAN setups), one can also make them use failover VPN tunnels or even load balancing over VPN tunnels (with e.g. OpenVPN & OSPF).

    So I'm with @Derelict in "try in a lab" - or consult a pfSense partner or the Netgate team with details to help you get a feel (and pricepoint).

  • Thanks Guys I appreciate your remarks!! I will give the "Try it in the lab" if I can get enough hardware :)

    Have a great weekend!

  • LAYER 8 Rebel Alliance

    You don't need much hardware, for some lab experience a virtualized pfSense environment should do fine.


  • @edlentz I have two pfSense boxes running CARP HA with two ISPs, so I can guarantee it's possible. We also have two core switches behind them and two LAN interfaces configured as a failover LAGG, so either switch can fail in the setup, too. You need lots of interfaces, though. We have five physical NICs in use. (One for each ISP, one coming out the back for each switch, and one interface each for the SYNC interface.) We segment the traffic with VLANs, so each cluster member has nine different addresses.

    You can do some wonderfully complicated, yet extremely functional things with pfSense.

  • LAYER 8 Moderator

    @cmhddti said in I'm told only Cisco can do this.....:

    You need lots of interfaces, though.

    Or ~2-3 normal Gigabit links for WAN1/2/Sync
    1-2 10G links so you run all your local networks as VLANs ;) That way you're down to ~4-5 interfaces (sync could run as VLAN, too).


  • Thanks guys I am a believer now. I have been reading the manual. Do you guys DIY your boxes or do you buy prebuilt?

  • LAYER 8 Global Moderator

    I sure wouldn't put some DIY box into a customer location.. Buy actual Netgate appliance..

    They have a range of price points that should allow you to fill any need for performance at your budget.

    Could be cheap as sg1100, or a pair of them for HA ;) Or something as high end as XG-1541-HA, and if you really need to push packets.. Don't forget the new TNSR options.

    There is one thing if you doing it in your home, or your "own" location... Its another when you going to rack it one of your customers locations.

  • Yeah I wasn't planning on a DIY for my customer. Just asking. Off topic question. Intitially I did a search for pfSense and there were some Ubiquiti links in the search response. Does Ubiquiti use pfSense in some manner?

  • LAYER 8 Global Moderator

    No unifi doesn't use pfsense, but many fans of pfsense use unifi AP.. Since the wireless support in freebsd, and therefore pfsense is some what lacking... Unifi AP are a good option for adding wireless to your network..

    You will find talk of unifi AP here on pfsense, and as well many mentions of pfsense over on the unifi forums...

  • I have installed a few of the Unifi APs and really like their setup and price point. AND the fact that they just work is good also. We have used simpleWAN routers in the past and growing tired of the licensing and the fees involved. The Unifi clould key is something we are looking into. Is there a similar device or method for setting up a pfSense box and managing it from the cloud?

  • LAYER 8 Global Moderator

    While in the past there has been talk of "central" management sort of stuff... Have not seen anything mentioned about it or even hinted at recently that I recall..

    The cloud backup feature is somewhat recent addition... So you never know what great surprises the netgate/pfsense team has in the works..

  • I just was on reddit and was reading about the central management or the lack thereof. The cloud backup is a great idea. I am sure it will come, it seems evertyhing is in the cloud these days anyway. I am also sure it isn't an easy thing to accomplish.

  • LAYER 8 Rebel Alliance

    No need of any cloud crap is one if the big points why I use/love pfSense. ;-)


  • LAYER 8 Global Moderator

    To be honest I see little reason for "cloud" management of your firewalls. There are a bajillion other things they could be working on vs adding cloud management that is for damn sure ;)

  • LAYER 8 Moderator

    Remote/on premise management is a big thing with network equipment. It's not only the shiny boxes and high price tags that make Cisco and Co shine. I had a client that'd loved to run pfSense but lack of central management was a no go. With >100 "borders" where they'd have to deploy border gateways running every one of them standalone is simply not possible (also sharing/backing up configurations and deploying multiples of one).

    But as TNSR does have the management capabilities I'm hopeful that going forward after 2.5 there'll be some progress on that front. insert wishful thinking here ;)

  • LAYER 8 Rebel Alliance

    Yep I'd like to see central management for my pfSense boxes too.
    But self hosted, not somewhere in the Internet aka Cloud.
    So you have all this fancy stuff with HA, MultiWAN and so on...unable to control anything because the central portal is down? Only marketing guys can think of this shit putting Firewall management in the Cloud. 😂


Log in to reply