Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mulit WAN+Carp Failover+IPSec/OpenVPN without Load Balancing

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 2 Posters 5.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Tony
      last edited by

      Hi,

      I am trying to setup my two pfsense box to do the Multi Wan and Carp Failover and IPSec/OpenVPN without Load Balancing. There are my setup right now:

      1. I have two ISP both are Static IP address. I have a range of static IP address for Primary ISP and only one IP address for our secondary/backup ISP.
      2. I have two pfsense box both are in 1.2.3_release with snort/squid/squidguard
      3. Currently running openVPN as our VPN connection for the remote users.
      4. Currently using just one pfsense box because CARP and MultiWAN is not configure yet.
      5. I have mail server and web server that NAT configured with Virtual IP address and Firewall rules.

      My question are the following:
      1. How can I setup the secondary/backup ISP to act as failover for both pfsense box?
      2. How can I setup CARP with two pfsense box to work with IPsec/OpenVPN
      3. How can I setup the two pfsense box if in case the primary firewall is down all traffic will be routed to the secondary/backup ISP and our mail server and web server will still functioning once the backup ISP take over. (Note that my NAT configuration and Virtual IP address only setup for my primary ISP)

      Thank you in advance for your response on this regards.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        In order for multi-wan to work properly, both WANs will need to be on both firewalls.

        In order for CARP failover to work properly, you need to run CARP on all interfaces – WANs and LANs.

        As for IPsec/OpenVPN, you need CARP on the WAN that the VPN will use, and you can tell the VPN to use the CARP IP, and then it's all handled automatically.

        You cannot failover with CARP just because the WAN is down, for that you need Multi-WAN (both WANS on the same box) - at least not easily, and not in the GUI. There is no built-in way to trigger a CARP failover just because an ISP is down, especially if you aren't doing proper CARP on the WAN.

        If you can get more IPs from the secondary ISP, you could do everything. Just connect both WANs to both firewalls, do CARP everywhere, and setup Multi-WAN. Then you'd have redundant ISPs and redundant firewalls. This setup is covered in the book.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • T
          Tony
          last edited by

          Thanks for the response Jimp, I don't know what exactly you trying to explain to me. However I tried to setup failover to the primary firewall and I follow the procedures here http://doc.pfsense.org/index.php/Multi-WAN_Version_1.2.x although this procedures the pfsense box acting as a gateway not a router because there is another router setup before the pfsense. Ours are different we don't have router before pfsense, the pfsense acting as router and gateway, so my WAN has the Public Static IP address the same as the WAN2 and it is not working for me.

          are you be able to guide me through.

          Thanks.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.