Does this setup make sense? (Dual WAN, 3 pfSense boxes)
I currently have a single pfSense box providing routing for my dual WAN, single LAN setup. I need to add in some redundancy, as well as creating a DMZ for my servers.
I've also found that some server applications are really difficult to configure with the setup I have right now. The services currently hosted include OpenVPN (through pfSense), http and ftp. OpenVPN and http are critical services. Would this proposed setup be advisable?
WAN1 -> PFSense1
WAN2 -> PFSense2
PFSense1 -> DMZ1 (http, ftp)
PFSense1 -> PFSense3
PFSense2 -> DMZ2 (http, ftp) (secondary, or perhaps some sort of round robin DNS?)
PFSense2 -> PFSense3
PFSense3 -> LAN (desktops, samba server)
I can see this getting a little bit complicated to set up as well, but would it presumably offer a better configuration than I have now? The advantages over my current setup would be:
-easier distinction of DMZ services
-spread out hardware load
In this type of setup, where would I be best advised to put the OpenVPN server? I currently have this on my single PFSense router, providing access for both roaming users and remote offices. I could envision putting it on PFSense3, and doing some sort of load balancing or round robin DNS with the two boarder routers - is this a good idea?
I would go with 2 pfSense boxes running as CARP cluster (if you have enough public IPs, each system needs a real IP additional to the virtual IPs, so that would make at least 3 public IPs per WAN).
What is the advantage of using 2 w/ CARP over the setup illustrated above? I assume I would lose the ability to have a transparent proxy, but I'm not sure what I gain by using 2 w/ CARP (other than needing one less server)