Is this setup reliable and fine ?

sallain

Hi All,

I would like to know if a such setup is OK and right ?

pfSense are running in a cluster/HA => failover is OK, BACKUP becomes MASTER if MASTER is dead.

Both WAN I/F for each pfSense box are setup with the same WAN Gateway z.x.y.214/29
ISP is providing a pool of 8 IPs in a /29 network from z.x.y.208 to z.x.y.215 : .214 is their Gateway, running as a HSRP config.

SDLS router is the master by default, config is done to toggle to backup unit if the main SDLS ISP router comes down or Internet link drop down.

The switch beetween pfSense boxes and ISP routers is a classic 8 ports 10/10/1000, no manageable.

I have defined some Virtuals IPs at the both pfSense side :

z.x.y.209/24
z.x.y.210/24
z.x.y.211/24
z.x.y.212/24

Each WAN pfSense I/F is setup like this : z.x.y.213/24

Do I need to setup the SAME MACADRESS for each WAN defined at pfSense#1 and pfSense#2 ???
Do I need to also setup the SAME MACADRESS for each Virtuals IP ?

Is a such config OK or not ?

The main deal is that to have enough security : if one of the ISP router is not working, the second one switch as the master.

I was on production today, I've seen the MASTER pfSense unit losing (OFF) the ISP Gateway while the BACKUP pfSense unit had the ISP Gateway ON !!! I removed the monitoring for both ones.

Many tanks for giving your opinion please :)

sallain

I think that using CARP + Virtual IP will help me :-)