Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HA Cluster and cellular failover

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    5 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • john-lJ
      john-l
      last edited by

      Hello all,

      I'm in the planning phase of a system where resilience is required for internet as it will be mission critical. I wondered if a HA Cluster and cellular failover are possible.

      The idea would be like the following diagram with either one cellular modem on the primary firewall or a cellular modem on both firewalls.
      https://docs.netgate.com/pfsense/en/latest/book/highavailability/layer-2-redundancy.html

      But is it possible to set up a HA Cluster with cellular failover?

      This is probably obvious but for the sake of clarity, the WAN IP Address Assignments would change when using the backup cellular connection. Also, the cellular connection would not meet the prerequisites for a HA Cluster, namely in terms of WAN IP Address Assignments.

      So I guess, it would boil down to telling a firewall that if the WAN goes down, stop using the HA configuration and then use cellular modem for internet.

      If a HA Cluster with cellular failover is possible, could there be a cellular modem on both the primary and secondary firewall? Or to put it more confusingly, is failover possible for cellular failover? If it is possible, is it advisable? As I would imagine that for it to achieve automatic failover it would boil down to, if WAN goes down, stop using HA configuration and use cellular modem on primary firewall for internet. If internet is down on the cellular modem on the primary firewall then use the cellular modem on secondary firewall.

      Given that the area in question only has one reliable telco, so only cellular (LTE) for backup, if a HA Cluster with cellular failover is not possible, what would be more resilient a HA Cluster or a single firewall with cellular backup? I imagine this boils down to what is more reliable, internet or the hardware. In my experience the hardware is more reliable but I'd still be interested in having your feedback.

      Thanks for any advice or answers.

      1 Reply Last reply Reply Quote 0
      • RicoR
        Rico LAYER 8 Rebel Alliance
        last edited by

        It should be no problem to use a LTE router between both nodes in RFC1918 address space to work around the IP problem (Primary firewall WAN, Secondary firewall WAN, Shared CARP VIP).
        Generally speaking using RFC1918 on WAN is not ideal but works. ;-)
        But be careful if you want to put public services on this LTE, at least in Germany this is not working out of the box, they almost always use Carrier-grade NAT.

        -Rico

        1 Reply Last reply Reply Quote 1
        • john-lJ
          john-l
          last edited by

          Perfect!

          Thanks, very much appreciated. That will fit my needs very nicely.

          Out of curiosity, can you recommend any particular model of cellular modem allowing for custom NAT?

          1 Reply Last reply Reply Quote 0
          • RicoR
            Rico LAYER 8 Rebel Alliance
            last edited by

            AVM FRITZ!Box 6890 LTE.
            You can replace the stock antennas with roof mount. :-)

            -Rico

            1 Reply Last reply Reply Quote 1
            • john-lJ
              john-l
              last edited by

              Brilliant! Thank you very much!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.