Need help with a 'stretch goal' on a firewall project

zaphod80013

I've run pfsense for a while, set it up from internet videos without truly understanding much of was I was doing, trying to fix that. I would classify my network skills as lower-intermediate (I'm an IT professional but on the software development side). Here's the goal I've set myself.

My ISP is Centurylink where I have a single static IP. Although I'm only a couple of years from retirement to support working from home (and for ongoing education) I'm looking at a second ISP for redundancy (most likely with a dynamic IP). My current configuration uses transparent bridging into pfsense (running in a VM) which acts as a PPPOE endpoint. This works well and I'm able to use Lets Encrypt certificates with the ACME package.

My Goal is to to have a dual ISP into an 2 VMs (on different hardware in a CARP configuration) with ISP & Hardware failover (I used a DDWRT router and vlans to simulate a dual ISP configuration and believe I understand what I'm doing since it seems to work as expected from the WAN fail perspective but I was unable to get LE certs to work because the router became the termination point.

From what I've read for an active/passive CARP configuration I need a router fronting each ISP with at least 3 IP's one for each pfsense instance and a floating IP representing the 'cluster' as a whole.

What I can't figure out is how to do that while having pfsense act as the 'endpoint' for the ACME transaction to issue & renew certificates.

This is about solving the problem i've set myself as a learning exercise, it is not about quick fix alternatives which will add nothing to my understanding

My initial thinking was to have the two VMs on x.x.x.1 & x.x.x.2 on the network with separate DHCP ranges, say 64-127 & 128-191, clearly this means means maintaining 2 configurations (my understanding is CARP can avoid this by syncing between servers).

To be honest I'm not sure what questions I should be asking so asking me a question is a valid way to educate me.

At this time the two biggests questions I have is how do I make pfsense the ACME endpoint with routers between me and the internet, and secondly how do I address two server with different hostnames act as a single ACME endpoint.

Thanks in advance for any help/suggestions/thought, At Work we're about to deploy a major release so my focus is likely elsewhere for the next week, or two if it doesn't go well.

Cool_Corona

The way we run it as an virtual appliance, is to run the VM in a vsphere HA clustered setup.

Then its no hazzle and you get rid of the CARP issues....

Others run it in parallel and maintain 2 configs. Its very easy and run in 2 tabs in a browser.

Thereby there is no interaction between the 2 and you just add GW weights in the OS using them as GW.

stephenw10

In a true HA setup pfSense does not support either DHCP or PPPoE WANs. So, yes, you would need to use additional routers in front of both WANs to terminate those connections and provide the static subnets required for CARP.

You might consider getting a static /29 on one if you can. That would solve both issues.

Steve