HA setup with two WANs and only one pfSense per WAN



  • Hello pfSense Community!
    I have a single network in two locations, where each location has one WAN connection (two different ISPs).
    One WAN is faster and should be a "master", while the second one is slower and should be used as backup only.
    My plan is to put one pfSense to the first location, one pfSense to the second location, connect them in L2 (with redundant switches), and use CARP to provide WAN fallback:
    Untitled Diagram.png

    My question is, what is the best/simplest way, to automaticaly disable VIP/CARP on "the faster" pfSense, when it loose connection to the Internet?
    I thought about writing a simple daemon, which will periodicaly check Internet availability, and trigger enablecarpmaint and disablecarpmaint when it is needed.


  • LAYER 8 Netgate

    That is an unsupported configuration. A supported configuration would be two WANs, each with a /29 interface subnet or better, with both configured on each node.

    And you don't wand bridges to your switches. You want LACP to a switch stack.

    what is the best/simplest way, to automaticaly disable VIP/CARP on "the faster" pfSense, when it loose connection to the Internet?

    HA is not designed to swing traffic in response to a multi-wan event. Only a router failure or a link down event.



  • Thank you for your answer!
    I have to use a bridge because I don't have a switch stack, and sw-01-a and sw-01-b are simple, L2 managed switches in two different locations. I have to rely on STP.

    I know the "official way", how to do a similar setup: https://docs.netgate.com/pfsense/en/latest/recipes/high-availability-multi-wan.html#figure-diagram-of-multi-wan-ha-with-dmz, but I don't have /29 WAN subnet and red connections:
    pfsense_ha.png

    Can I ask you for a suggestion, how to solve it in a better way?


  • LAYER 8 Netgate

    The best way to do an HA deployment is it invest in the gear necessary to build it correctly. Bridging like that is generally incompatible with pfSense HA.

    https://docs.netgate.com/pfsense/en/latest/highavailability/layer-2-redundancy.html