Multiple Subnets, Vlans, Openvpn and ipsec active-passive setup questions?



  • Hi everyone
    i hope someone has the answer:
    we have a pfsense  2.1.4 firewall in our farm
    the setup is as follows:
    wan: a.a.a.x/25 (multiple carp address: a.a.a.z/25, a.a.a.y/25 …)
    we also have some more subnets which we had to configure as ip alias:
    b.b.b.x/26 c.c.c.x/26 d.d.d.d.x/27 e.e.e.e.x/28 (total of 7 subnets)
    lan: 10.0.50.0/24
    vlan1: 10.0.10.0/24
    vlan1000 192.168.100.0/24
    vlan1001 192.168.101.0/24
    … goes all the way to (currently)
    vlan1014 192.168.114.0/24
    we have also setup openvpn servers for some of the vlans and one on the main vlan - vlan1

    the questions are:
    how would i go about adding another pfsense in failover mode?

    i know i need to carp the wan and lan, but - what happenes with all the vlans? should i create them on the secondary PFSENSE and add carp address to each one?
    that's just the easy part -
    what should i do with all the ip addresses from the different subnets configured as ip alias -
    i noticed these aren't getting replicated to the failover server - only the carped addresses
    (already had an active/passive config but it was only half good)

    what about the open vpn, would it listen on the pfsense carp address or wan address?

    thanks in advance to anyone who can give a point in the right direction
    sincerely



  • Yes, if you want to fail-over you need to make a CARP address on every network/vlan.

    With the openVPN, bind the server to the CARP address, that way it'll work when  the secondary has taken-over


Log in to reply