HA with single WAN IP, hard to find solid info

  • Hi, I've decided to run pf on a VM inside Unraid. I have two unraid boxes, and want to set up HA for fun and for spousal happiness when one unraid box goes down, but I only have a single WAN IP (dynamic) from my ISP. I understand that HA requires two IPs, and I read somewhere, wish I could find the link, that a router between the modem and the two HA machines could be used to assign two real IP addresses. I realize this is a single point of failure, but I'm OK with it - my house is not mission critical.

    Assuming my logic is sound - would I simply disable the firewall on the router in front of pfsense boxes, and keep dhcp running (but set up static assignments) ? Anything else that I should turn off? I'm using an Asus RT-N12 I had lying around for this - don't need much power in it and my internet speed is less than 100 mbps and will be for the forseeable future. ASUS router would have the address, dhcp assignment to the two pfsense boxes would be, and pf sense assigns in the 192.168.13.x and 192.168.14.x ranges.

    I'm good with the sync interfaces running through dedicated NICs on each box through a dedicated physical switch - it's the access to internet that's messed with my mind a bit.

    Thoughts, please?


  • 8e50e883-f8b0-4a87-8fc9-a223d3cb9260-image.png

    Drew a pic to see if I got it OK... ??

    Also found this guide: https://www.slideshare.net/NetgateUSA/high-availability-pfsense-hangout-june-2015 Is it still valid?

    I have identical 4 port intel NIC with all ports passed through to VM in each unraid box - 3 ports for this, plus a 4th for guest on CARP that I didn't draw for guest network access point(s).

  • Figured I would update with what I came up with. It works perfectly including immediate fail-over on both LAN and GUEST networks (but openvpn does not). I hope this helps someone else with their single WAN setup.

    I should note, the ISP modem and first router is a single point of failure, but the router is basically doing nothing except DMZ to the WAN CARP, so not really concerned. It's accessible through its own wifi for if/when I need to get in.


Log in to reply