Only dare-devil can try this !!!!

  • Is this senario possible ?

    I am very new to pfSense.

    I wished to have failover + load balancing + url filter + firewall etc using one physical system.

    After some thinking I have came out with following solution.

    Ubuntu 64 bit with 3 physical lan cards / 8 GB Ram / 500  GB Hdd.

    Primary wan link thru router to 1st Interface. (

    Secondary wan link thru router 3rd Interface. (

    2nd interface used to attach standard switch where all my clients get connected. (

    Virtual box installed.  Created 2 VM's  / 3 GB / 50 GB vdi / with 3 network interfaces.

    Installed pfSsense  on each of the VM.

    3 interfaces on each vm -
        1 st on bridged mode  ( for accesing wan link )
        2nd on host only mode ( for network –  attached to second interface on host system. )
      3rd  on internal mode (  to provide sync between 2 vm's )

    Now using CARP  will I be do fail over with one physical system ?

    Diagram attached for explaining my concept.

  • You should be able to do this with one installation of pfSense on the box.  No need to virtualize two instances on top of Ubuntu.

    A single install of pfSense will handle the load balancing between the two WAN links as well as the failover.  Very easy to set up.  Firewall is pretty standard to setup/manage/configure, and there are packages that will do URL filtering.

    Again, one installation of pfSense is all you need.

  • good luck getting web filtering and load-balancing working.

  • Netgate Administrator

    In your proposed configuration you will only ever use one WAN.
    With a CARP failover setup, such as in your suggestion, one machine is active whilst one is standby. Both machines re never used at the same time. Thus if your WANs are only connected to one pfSense VM they will not be load balanced. You need both WANs connected to both pfSense VMs.

    However, as suggested above, you would be better off just installing pfSense bare metal on the box and forgetting about CARP. Whatever benefit you might get from failover will be outweighed by the increased complexity and you would still have single point of failure in only one box. Get two boxes if you need HA. What are your WAN speeds? Perhaps you can use two lesser boxes.


  • First of all, the ISP has to support failover and load balancing on their end. Is that the case?

    ISPs usually charge heavy amount of money for full failover/load balancing support on their end. The cost of an additional box will be negligible compared to the monthly cost for the ISP.

  • Netgate Administrator


    First of all, the ISP has to support failover and load balancing on their end. Is that the case?

    That's only true if you you want to use MLPPP. You can do round-robin based load balancing and failover between any two connections, with some limitations.


  • The original poster mentioned CARP, which means that he want the failover process not to drop any existing connections..

  • Netgate Administrator

    Good point. He could have just wanted system redundancy though.

    More info needed.  :)


  • Thanks to all of you for your opinion.

    Yes,  I am aware that only one wan link would work in the scenario.  What I am expecting is HA feature.  The whole  object is when the primary wan link goes down the client should be able access Internet transparently from the secondary wan link without changing any configuration whatsoever  & whenever the primary link ups,  the clients should be able to access internet from the primary link.

    For more info , we have 2 wan links  - Primary - 10 mbps  and secondary - 2 mbps.

    My question was , whether this arrangement would work ?  ( Please refer the diagram in first post )

    Can I achieve this without using VM's  i.e. installing bare-metal pfSense on the box.  ( Please keep in mind I have only box (  with 8 gb ram,  3 physical ethernet cards and one 500 GB Hdd.  at my disposal )

    This project is for a school in India….  I will not be able to organise more hardware..

    Please help if possible.


  • Netgate Administrator

    You can easily achieve a fail-over scenario between two WAN connections using a single instance of pfSense installed on your box. You can load balance the two connections as well if you want.
    Depending on the speed of the connections and the spec of your hardware you may want to install pfSense as a single VM anyway because you can then use the hardware for running additional VMs. This does reduce security (potentially) but given your lack of access to hardware might be the most efficient way to use it.

    Do you intend to run any packages on pfSense, Squid Snort etc?
    What is the full spec of your box?


Log in to reply