Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need help with a 'stretch goal' on a firewall project

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 3 Posters 370 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z Offline
      zaphod80013
      last edited by

      I've run pfsense for a while, set it up from internet videos without truly understanding much of was I was doing, trying to fix that. I would classify my network skills as lower-intermediate (I'm an IT professional but on the software development side). Here's the goal I've set myself.

      My ISP is Centurylink where I have a single static IP. Although I'm only a couple of years from retirement to support working from home (and for ongoing education) I'm looking at a second ISP for redundancy (most likely with a dynamic IP). My current configuration uses transparent bridging into pfsense (running in a VM) which acts as a PPPOE endpoint. This works well and I'm able to use Lets Encrypt certificates with the ACME package.

      My Goal is to to have a dual ISP into an 2 VMs (on different hardware in a CARP configuration) with ISP & Hardware failover (I used a DDWRT router and vlans to simulate a dual ISP configuration and believe I understand what I'm doing since it seems to work as expected from the WAN fail perspective but I was unable to get LE certs to work because the router became the termination point.

      From what I've read for an active/passive CARP configuration I need a router fronting each ISP with at least 3 IP's one for each pfsense instance and a floating IP representing the 'cluster' as a whole.

      What I can't figure out is how to do that while having pfsense act as the 'endpoint' for the ACME transaction to issue & renew certificates.

      This is about solving the problem i've set myself as a learning exercise, it is not about quick fix alternatives which will add nothing to my understanding

      My initial thinking was to have the two VMs on x.x.x.1 & x.x.x.2 on the network with separate DHCP ranges, say 64-127 & 128-191, clearly this means means maintaining 2 configurations (my understanding is CARP can avoid this by syncing between servers).

      To be honest I'm not sure what questions I should be asking so asking me a question is a valid way to educate me.

      At this time the two biggests questions I have is how do I make pfsense the ACME endpoint with routers between me and the internet, and secondly how do I address two server with different hostnames act as a single ACME endpoint.

      Thanks in advance for any help/suggestions/thought, At Work we're about to deploy a major release so my focus is likely elsewhere for the next week, or two if it doesn't go well.

      1 Reply Last reply Reply Quote 0
      • Cool_CoronaC Offline
        Cool_Corona
        last edited by

        The way we run it as an virtual appliance, is to run the VM in a vsphere HA clustered setup.

        Then its no hazzle and you get rid of the CARP issues....

        Others run it in parallel and maintain 2 configs. Its very easy and run in 2 tabs in a browser.

        Thereby there is no interaction between the 2 and you just add GW weights in the OS using them as GW.

        1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          In a true HA setup pfSense does not support either DHCP or PPPoE WANs. So, yes, you would need to use additional routers in front of both WANs to terminate those connections and provide the static subnets required for CARP.

          You might consider getting a static /29 on one if you can. That would solve both issues.

          Steve

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.