I hope this isnt a dumb question
by looking at the docs concerning failover…
is it possible to have a failover VIP for LAN, and a failover VIP for WAN, and they are all on the same 2 pfsense systems clustered together?
the doc makes it look like you cluster either your lan, or you cluster your WAN.
and i assume all other features apply… namely VPN tunnels would come back up once the failover is complete on the 2nd firewall?
yes this is quite possible. i run several CARP pairs this way. you need at least 3 external IPs on the same subnet to do this.
and just make sure you NAT all your traffic out the WAN VIP, and when you build the OpenVPN server that you assign it to that VIP interface.
so if your primary firewall dies, the backup takes over the VIP and OpenVPN continues to work.
I've done alot of testing with failover of a CARP pair and generally I only lose 1 packet when pinging from internally to outside during the new master being elected.
And when I've tested it with OpenVPN connecting the connection stayed on both during the failover and when bringing the primary back online, same goes for IPSEC tunnels.
ideally, id like to use my entire block of external IPs, so would it be. along with your 2 actual host IPs, can you pass multiple IPs as CARP VIPS?
Yes you just have to ensure you use a different VHID for each VIP on the same interface