ISP Dynamic IP and pfSense HA
-
TL;DR: I could not get failover to work with my dynamic IP addresses. So I plugged my secondary HA pfSense WAN port into my ISP's router. Failover is NOT completely seamless, but it's good enough to not interrupt someone's video stream.
I thought I would post this, because I was scratching my head for a few days about this and didn't find any answers googling around or on these forums. However, if anyone has an idea of how to better accomplish this, I'm all ears.
I have a virtualized pfSense router in my server and it's working well. However, if I have to take that server down for maintenance or make a configuration change that requires me to take down the VMs, it's not long before I hear about it. Last month I installed a new PCIE card (at 11pm) and I ended up staying up until about 2am because it didn't go smoothly. I've always wanted some failover, but now it's top of the priority list.
Unfortunately I have dynamic public IP from my ISP and my ISP only gives me 2. After going through the HA documentation, the LAN failover is working great, but the WAN failover was a headscratcher. VIP won't work with dynamic IP. I found some posts about cloning the MAC address on both boxes and enabling/disabling the WAN port on failover, but I couldn't get this to work for me at all. So in the end, I just plugged the WAN port for my failover into my ISPs lan. On failover my public IP changes, but I don't have any critical services that require a public IP. So this is acceptable for me.
If anyone knows of a better solution that would allow my IP address to remain the same on transition to the 2nd box, I'd love to know how it could be done. This didn't work for me.