Query on HA and VIP

siil-it

We are looking to purchase a pair of 8300's and set them up in HA mode.

There are two WAN connections
One is a static internet with a /28 public IP range
One is a business broadband connection that gets it's IP via DHCP from the ISP's device

There will also be a DMZ switch attached to one of the 10G ports on each PFSense and the LAN connections will also us a 10G port.

What is the best way to configure the public and internal VIP's for the HA. Should we be using an intermediary switch?

SteveITS

@siil-it Typically there’s a switch between the routers and ISP. I haven’t tried without but if you say used two ports on the ISP router it would need to allow the shared IP to move ports.

WAN2 is not static? I don’t know you can have a shared IP there…one normally needs at least one static IP. Does that ISP also NAT? (Here Comcast cable does)

netblues

@siil-it The /28 can failover with a normal carp vip. And you need a switch in front of the two 8300
Obviously the switch AND the isp equipment is SPOF's

For the business broadband, what ip does it get? A public one or from private range
If it is for the latter, use static and do the same.

If not, then you can't really have carp failover without 3 ip's in the same subnet.

SteveITS

@netblues

you can't really have carp failover without 3 ip's in the same subnet

Depends, which is why I asked about it. We’ve set it up on Comcast/Xfinity using one shared static public IP and set the WAN IP on both routers in the default 10.1.10.x range. That works well.

Docs cover only one IP but there’s no connectivity until failover:
https://docs.netgate.com/pfsense/en/latest/highavailability/index.html#ip-address-requirements-for-carp

If WAN2 is really only DHCP though then I don’t think there can be a shared IP.