Does this setup make sense? (Dual WAN, 3 pfSense boxes)



  • I currently have a single pfSense box providing routing for my dual WAN, single LAN setup.  I need to add in some redundancy, as well as creating a DMZ for my servers.

    I've also found that some server applications are really difficult to configure with the setup I have right now.  The services currently hosted include OpenVPN (through pfSense), http and ftp.  OpenVPN and http are critical services.  Would this proposed setup be advisable?

    WAN1 -> PFSense1

    WAN2 -> PFSense2

    –---
    PFSense1 -> DMZ1 (http, ftp)
    PFSense1 -> PFSense3

    PFSense2 -> DMZ2 (http, ftp) (secondary, or perhaps some sort of round robin DNS?)
    PFSense2 -> PFSense3


    PFSense3 -> LAN (desktops, samba server)

    I can see this getting a little bit complicated to set up as well, but would it presumably offer a better configuration than I have now?  The advantages over my current setup would be:
    -easier distinction of DMZ services
    -spread out hardware load

    In this type of setup, where would I be best advised to put the OpenVPN server?  I currently have this on my single PFSense router, providing access for both roaming users and remote offices.  I could envision putting it on PFSense3, and doing some sort of load balancing or round robin DNS with the two boarder routers - is this a good idea?



  • I would go with 2 pfSense boxes running as CARP cluster (if you have enough public IPs, each system needs a real IP additional to the virtual IPs, so that would make at least 3 public IPs per WAN).



  • What is the advantage of using 2 w/ CARP over the setup illustrated above?  I assume I would lose the ability to have a transparent proxy, but I'm not sure what I gain by using 2 w/ CARP (other than needing one less server)


Log in to reply