Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple Webservers on LAN

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      anthonyg
      last edited by

      Hey everyone!

      In my on-going project to switch over our medical facility to pfsense redundant firewalls, I am running into another snag that I need a little clarification on. I am running in a Multi-WAN + CARP Failover environment. I also will have multiple IPSec connections coming into the firewalls. My two questions are this.

      1. Will my loadbalancer for the multi-wan auto failover for the IPSec connections? Also is there any suggestions as to what I can do to avoid having to enter the secondary WAN's shared CARP IP on the other end of my Site-to-Site VPN when my primary WAN goes offline.
      2. I have multiple webservers on my LAN. How can I go about allowing outside users to access these? In the past we just put them on their own static IP addresses. But if I were to do that now, wouldnt that defeat the purpose of the CARP Failover since it would no longer function?

      Thanks for all the help.

      Anthony

      1 Reply Last reply Reply Quote 0
      • A
        anthonyg
        last edited by

        Anybody?

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          1. No, IPsec doesn't load balance/fail over with multi-wan. You'd have to have a tunnel nailed up on each wan in transport mode, and then have some other method (gre+ospf or similar) to route the traffic over the proper wan. It isn't quite as simple as just sending the IPsec traffic over the other WAN…

          2. Just use additional CARP type VIPs on each WAN, then you can do port forwards to the internal addresses from these CARP VIPs.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.