2 ISP's + BGP + pfsense + CARP failover + link loadbalancing possible?

  • Hi guys

    I am planning to move to a new colo facility and modify my network layout. Right now I am using STATIC routes to the ISP basic layer 3. Due to network issues with the ISP I want to be multi-homed.

    pfsense build
    4GB ram
    At least 20gb hdd
    Core2duo or low power AMD
    Motherboard on-board Lan x2 (these will be the WAN incoming links to "multi-home")
    External Intel Gigabit PRO/1000 Dual ports (one port for pfsync/CARP other port goes to switch)

    I could probably get the ISP's that will provide multi-homing to give me 2 network drops on the same VLAN /30 - can pfsense have the interfaces shutdown until CARP determines and starts failing over?

    Anyone has done a setup like mine before, tips please I am trying to learn as I go. Also, I need to move IPs can pfsense act as a proxy or transparently send traffic to destination (my network) and the server is now on (another network/ISP) so that downtime is minimal while DNS is updated and all vendors change IPs?

    Thanks ps attached my network setup (I don't have pfsense yet though, the switch is connected straight to the ISP)

  • I'm not sure I understand your statement about the 2 network drops in the same vlan /30.  are you refering to the WAN network /30? If your ISP is providing switched infrastructure (VLAN) for your WAN, you'll need them to give you more than a /30 for CARP.  CARP will have an IP overhead with at least one unique IP address per device that plans on sharing the VIP.  You'll need to have at least a /29.  You'll also have to make sure they are not using packet filters or other firewall between your two VLAN access ports, if your interfaces lose communication across their switch, CARP will not work.

    Your subject line mentions BGP, are you planning on running BGP between the PFSense and your ISP?

    About your interface shutdown, you may have to manually disable one of the ports initially while the first port is configured and WAN established.  It could probably be configured as the CARP interface and you can add your second interface to the group whenever you are ready.  If you establish the seocnd interface without switching connectivity or before WAN is ready, you may run into problems because both interfaces will think they are "Master" interfaces.  I'm not sure if that answers your question.  Please elaborate.

    Although I have not done a setup like yours, I can probably suggest that you could set up NAT after you re-IP to the new IP range, as long as the ISP is willing to maintain routes to your gateway for both old and new prefixes while in transition.

    Hope this helps

Log in to reply