PfSense redundancy with 4 public IP:s



  • We are currently searching for a high-availability solution, one question I need answered before starting to test pfSense:

    Today, we use 4 public IPs, all on different subnets, for 4 different domains.
    In documentation it says I need 3 public IPs on WAN to configure failover with pfSense.
    The way I read it it means we will need 12 public IPs? That we cannot have.

    Basically, what we want is 2 firewalls, one active and the other one just standing by. Also we want to have 2 switches on LAN for complete redundancy.
    So question is: can we use pfSense in some way to create a network like this? After reading the documentation I'd say "no", but posting here first in case I missed out on something.

    Edit: updating network diagram



  • If you have only one ip on each subnet, you can do it combining forces with you router(s). ;D

    see (http://forum.pfsense.org/index.php/topic,35281.msg200865.html#msg200865) for a detailed explanation of how to do this.

    after nat on router, at pfsense:

    You can't have two subnets on same interface, you need to create a interface for each subnet.

    the minimun amount of ips for it will be 4 on the same subnet.
    1 for the router
    1 for pfsense1
    1 for pfsense2
    1 to be published as a carp ip between two pfsenses. (this can be as much as you need 1, 2,…10 ips)

    If you plan to have each pfsense pluged into different switches, you will must have a dedicated interface between both for sync.
    My suggestion is to plug all interfaces of each firewall in only one swtich(using vlans), this prevents some carp mistakes between master and slave when not all interfaces are offline.

    FIREWALL1 <-> SWITCH 1
    FIREWALL2 <-> SWITCH 2

    FIREWALL1 <-CROSSOVER-> FIREWALL2

    If you have two gigabit interfaces on each firewall you can do everything. one for sync and other with a lot of vlans.

    att,
    Marcello Coutinho


Locked