Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HA setup with two WANs and only one pfSense per WAN

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    carpfailoverwancheckingavailability
    4 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Avatat
      last edited by

      Hello pfSense Community!
      I have a single network in two locations, where each location has one WAN connection (two different ISPs).
      One WAN is faster and should be a "master", while the second one is slower and should be used as backup only.
      My plan is to put one pfSense to the first location, one pfSense to the second location, connect them in L2 (with redundant switches), and use CARP to provide WAN fallback:
      Untitled Diagram.png

      My question is, what is the best/simplest way, to automaticaly disable VIP/CARP on "the faster" pfSense, when it loose connection to the Internet?
      I thought about writing a simple daemon, which will periodicaly check Internet availability, and trigger enablecarpmaint and disablecarpmaint when it is needed.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        That is an unsupported configuration. A supported configuration would be two WANs, each with a /29 interface subnet or better, with both configured on each node.

        And you don't wand bridges to your switches. You want LACP to a switch stack.

        what is the best/simplest way, to automaticaly disable VIP/CARP on "the faster" pfSense, when it loose connection to the Internet?

        HA is not designed to swing traffic in response to a multi-wan event. Only a router failure or a link down event.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • A
          Avatat
          last edited by Avatat

          Thank you for your answer!
          I have to use a bridge because I don't have a switch stack, and sw-01-a and sw-01-b are simple, L2 managed switches in two different locations. I have to rely on STP.

          I know the "official way", how to do a similar setup: https://docs.netgate.com/pfsense/en/latest/recipes/high-availability-multi-wan.html#figure-diagram-of-multi-wan-ha-with-dmz, but I don't have /29 WAN subnet and red connections:
          pfsense_ha.png

          Can I ask you for a suggestion, how to solve it in a better way?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by Derelict

            The best way to do an HA deployment is it invest in the gear necessary to build it correctly. Bridging like that is generally incompatible with pfSense HA.

            https://docs.netgate.com/pfsense/en/latest/highavailability/layer-2-redundancy.html

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.