Dual WAN, static IPs, will pfSense help me?



  • I am considering installing pfSense for my firewalls, it looks like just the ticket. Currently I us pf on FreeBSD anyway, but I am just about to upgrade the internet connections for failover and I think pfSense can help me here.

    It seems nearly all of the documentation / tutorials I have read have been about connecting to different ISPs, or for homes / offices needing to connect to the internet. I'm looking for a data center solution for web servers and VOIP servers.

    The situation will be that the same ISP will provide 2 diverse cat5 feeds to my rack. Each feed is on diverse routes from this data center to the upstream peers.

    I will get a different IP address / subnet  for each connection, and a block of 64 public IP addresses. Each connection will route the public IPs via the router addresses. I don't need to use BGP as its the same provider, they handle that bit upstream from me.

    I just wanted to check that pfSense will be happy with this, and if one link goes down (say a router gets a DOS attack, or a some fool unplugs a connection to an upstream router) it will happily route all traffic via the other link.

    As far as load balancing goes I think it would be better for the users packet latency if the packets went back on the link that the request came in on, but to be honest I'm not all that bothered. Both links will have the same capacity, and my bandwidth allowance is based on the total used across both links.

    [EDIT] It was recommended to me that I put a switch with STP (Spanning Tree Protocol) on each cat5 (would need to do this anyway to use CARP and have two machines connected) then connect the 2 switches together. That should give me no single point of failure.

    I guess that also means that there is not going to be much problem with whichever WAN interface is used for outbound, as the switches will decide on the most efficient route anyway.

    Regards

    Ben



  • CARP: you just need to connect the 2 machines using a crossed cable. I do not see how putting a switch in between a failover pair of firewalls would increase reliability, though I think that this is what Cisco recommends.

    I am not an expert, but my understanding of STP is that it just stops loops being formed (turns a generalised graph into a tree, to put in graph theory terms) , STP doesnt route.



  • HI,

    I assume your talking about the link for pfsync? Yes that would just be a crossed cable.

    I was meaning a switch on each cat5 cable provided by the ISP. I would need that so I can connect 2 different fw hosts ethernet ports to the one cable. The bit they recommend was to make sure it has STP and then connect the 2 switches together. That would give the additional resilience (cable A fails, and both ethernet cards on the posrts connected to switch B fail - routing can happen via switch on a, through to B then on B's uplink - A somewhat extreme when I think about it).


Log in to reply