Mulit WAN+Carp Failover+IPSec/OpenVPN without Load Balancing

  • Hi,

    I am trying to setup my two pfsense box to do the Multi Wan and Carp Failover and IPSec/OpenVPN without Load Balancing. There are my setup right now:

    1. I have two ISP both are Static IP address. I have a range of static IP address for Primary ISP and only one IP address for our secondary/backup ISP.
    2. I have two pfsense box both are in 1.2.3_release with snort/squid/squidguard
    3. Currently running openVPN as our VPN connection for the remote users.
    4. Currently using just one pfsense box because CARP and MultiWAN is not configure yet.
    5. I have mail server and web server that NAT configured with Virtual IP address and Firewall rules.

    My question are the following:
    1. How can I setup the secondary/backup ISP to act as failover for both pfsense box?
    2. How can I setup CARP with two pfsense box to work with IPsec/OpenVPN
    3. How can I setup the two pfsense box if in case the primary firewall is down all traffic will be routed to the secondary/backup ISP and our mail server and web server will still functioning once the backup ISP take over. (Note that my NAT configuration and Virtual IP address only setup for my primary ISP)

    Thank you in advance for your response on this regards.

  • Rebel Alliance Developer Netgate

    In order for multi-wan to work properly, both WANs will need to be on both firewalls.

    In order for CARP failover to work properly, you need to run CARP on all interfaces – WANs and LANs.

    As for IPsec/OpenVPN, you need CARP on the WAN that the VPN will use, and you can tell the VPN to use the CARP IP, and then it's all handled automatically.

    You cannot failover with CARP just because the WAN is down, for that you need Multi-WAN (both WANS on the same box) - at least not easily, and not in the GUI. There is no built-in way to trigger a CARP failover just because an ISP is down, especially if you aren't doing proper CARP on the WAN.

    If you can get more IPs from the secondary ISP, you could do everything. Just connect both WANs to both firewalls, do CARP everywhere, and setup Multi-WAN. Then you'd have redundant ISPs and redundant firewalls. This setup is covered in the book.

  • Thanks for the response Jimp, I don't know what exactly you trying to explain to me. However I tried to setup failover to the primary firewall and I follow the procedures here although this procedures the pfsense box acting as a gateway not a router because there is another router setup before the pfsense. Ours are different we don't have router before pfsense, the pfsense acting as router and gateway, so my WAN has the Public Static IP address the same as the WAN2 and it is not working for me.

    are you be able to guide me through.


Log in to reply