• Hi All,

    Sorry if this has been asked before.

    I was point to this forum by a member in monowall list.

    Read thru the forum but cannot find setup that match mine. here it goes(not real IPs)

    Site A monowall_A1, internet connection very stable. never goes down:

    WAN ip: (static, one public IP only)
    LAN IP:
    OPT1 - not configured

    Site B has 2 monowalls with both of them LAN port connected to a same switch:


    WAN IP: (static, one public IP only)
    LAN IP:
    OPT1 - not configured


    WAN IP: (static, one public IP only)
    LAN IP:
    OPT1 - not configured

    I've created an site-to-site IPSEC tunnel from Site B to Site A: (monowall_B1 <–-> monowall_A1)

    Users in Site B will be able to access servers in Site A thru the tunnel(default gateway is

    Whenever an internet connection on monowall_B1 goes down, I'll manually switch the tunnel to (monowall_B2 <---> monowall_A1)
    Users will change their pc gateway to and they be able to access servers in Site A again.

    Please point me to a documentation on how to do failover on my current setup of Site B using PfSense. Manually switching the tunnel is very tedious.
    Any assistance is greatly appreciated.

  • I might have a single click manual failover solution if this works for you. Set the m0n0 up to await mobile clients (as the other end will change it's public IP on failover; see http://pfsense.org/mirror.php?section=tutorials/mobile_ipsec/ how to set this up). Then setup a pfSense carp cluster at the location with the 2 WANs. 2 pfSenses sharing the same CARP IP at LAN (so your local clients don't need to change thier gateways). each machine is connected to their individual WAN and will join the m0n0 as mibile client like shown in this tutorial. Make the pfSense with the preferred IPSEC tunnel the master node. Now if the preferred WAN fails go to your masternode at status>CARP(failover) and disable CARP. The other node will pickup the LAN IP and will on demand establish the connection to the m0n0 as mobile client. If you keep a ping running from inside the lan behind the dual pfSense setup it should start working again once you click the disable button. If the preferred WAN comes back again just click the enable button again and the master will take over the gateway IP again and will negotiate the tunnel with the m0n0 again.

    So once configured it's a single click to switch back and forth. Not sure if this works as expected as I haven't tried this yet but it could…let us know  ;)

  • thanks hoba.

    will definitely try the suggestion.

    I'll schedule a trip to Site B and change my WRAP boxes to pfsenses. Any other suggestion are welcome so I could try them. It may take some time though, i'll let you all know the outcome.

  • http://pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm might be of interest too. You just will use only one CARP IP at LAN in your case that the clients can use as gateway IP.

  • for single click solution someone has to be at site B to disable/enable CARP on masternode, right?

    for http://pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm, we only have 1 static IP for both WANs. The tutorial said it requires al least 3 IPs for WAN. Am I missing something? Thanks.

  • You only will have one CARP IP at the LAN as gateway that can be shared between the both boxes so you don't have to manually change all your clients gateways. Each box will have their own WAN. If you setup PPTP for example you can tunnel in to the slave pfSense and then go to the webgui at the master pfsense to disable CARP so you can do that remotely even if the master pfSense's WAN is down.