PfSense failover with DHCP on WAN side

  • Hi,

    I'm sucessfully running two 2.1 beta pfSense Firewalls with a CARP VIP on the LAN side. My cable provider hands out the WAN IP via DHCP, only the first MAC address requesting an IP gets one, subsequent requests using different MAC addresses are ignored until I reset the cable modem. That's not a problem, I simply spoof the WAN MAC address on both gateways. As it's the same on both WAN interfaces, I don't have to reset the modem in case of a failover.
    Naturally I have to set the backup gateway's WAN IP address to "None" for backup operation and I need to manually set it to DHCP in case of a failover.
    Which leads me to the question: What would be the most elegant way to automate switching WAN settings to "None" when a gateway is in state backup and switching to DHCP when it's master?
    One should be able to control this via etc/rc.carpmaster and etc/carpbackup scripts.
    I must apologize, I'm not really familiar with PHP/pfSense internals. Are there any pfSense internal funtions I could call there (something like "fuction_set-WAN-interface-to-DHCP, function_reload-filter" or do I have to write a shell script calling dhclient,pfctl etc. directly?

  • Not a really easy way to do that. You can hook into devd to run scripts when CARP changes status, then you'd have to write something that changes WAN from none to DHCP when that occurs.

    You could possibly do the same as what I do in a similar scenario, get a second IP via DHCP from your ISP (mine costs $7 USD/month more), so each machine has its own IP and no hacking or duplicate MACs are necessary. Duplicating MAC addresses like you're doing is potentially fraught with issues at several levels. Leaving the WAN set to "none" on the secondary minimizes that at the firewall level, but your upstream switch or cable modem, and other things, could potentially have issues with that.

  • Sadly I would have to switch to one of my ISPs business offers. That would cost more than the double and deliver some telephony service I'd have to pay but would not use. Anyway, as I found no clean way doing this with pfSense, I tried to verify that setup with OpenBSD and I'll stick with that for now. Using ifstated together with CARP you can simply ifconfig down the external interface automatically so it will not interfere with anything on the outside.
    It's a pity I'm not really good at anything related to programming but a shell little scripting, otherwise I would try to implement some system triggers (i.E. Disable Interface X) in case of CARP failover for pfSense. I really like pfSense, it's the best Open Source Firewall distribution there is. Maybe someone else likes the idea and does implement it ;)

Log in to reply