High Availability & Connection from Cisco 2921

  • Hi not 100% sure if this is a hardware or CARP question - but more hardware in my question than CARP so here I go.

    I have setup a pfsense box connected to a BT firbe connection (which is fed via a Cisco 2921).

    pfsense is setup within ESXi 5.5. All working fine.

    Now I have another box that I would like to setup as fall over/high availability in the event primary box fails.

    In past life when I was doing this the routers in question had a fall-over port that would pass the WAN connection through it - You would plug the BT connection into WAN on router 1, then on bypass port on router 1 - plug this into WAN on router 2.

    In the event of issues with router one, WAN would be fed into Router 2 - job done.

    My brain is melting slightly trying to work out how best to achieve this with what I have here.

    Have had a look through online about pfsense and HA - but all tends to be about the config pfsense side which I don't really have a problem with. (yet).

    Appreciate any thoughts on this, maybe I am missing something.

    Have 2 x R610 boxes which have an abundance of NICs in them.

    Appreciate any advice.

  • Do you have a single network drop or two?  A single public IP or 3 or more?  What level of HA would you like to maintain (eg. how much downtime is acceptable?)?

  • not sure what you mean by network drop?

    I have one WAN connection.

    Have as many 8 IPS I can use for this if need be.

    I just need to know how I can get one WAN feed plugged into 2 pfsense boxes using HA/CARP.

  • I meant do you have one network cable coming out of your router or two?  If this is a data center or a Metro Ethernet drop then many providers will give you two lines for your uplinks.

    If you only have one, then you have a couple options.

    First, the preferred would be to land your WAN connection into a switch, then run one cable from that switch to each pfSense box.  You would then use CARP on the WAN & LAN interfaces so that each system has a dedicated IP on each interface as well as a floating IP.  This requires a minimum of 3 IPs on each network.  If done correctly, having a pfSense box drop out results in no traffic loss as all open states are replicated between boxes over a dedicated interface.

    Second, you can start to get tricky with bypass NICs where your WAN drop goes into the first box on a bypass port and then the other port in that pair goes to the WAN port on your second box.  You're really better off not doing this, because it will lead to traffic drops while box 1 is on but not able to route traffic yet, but it is possible.

    Read this:


  • Thanks for the reply.

    Have spoke to ISP and they are going to come back to me on the ability to run another cable from the spare port on the Cisco.

    I will purchase a small switch to connect WAN and 2 x PF boxes to….only issue I suppose is another single point of failure in the switch but hey ho that is easier replaced than my esxi boxes.


Log in to reply