Multiple locations and MultiWAN Failover

  • Hi folks,

    here is the setup that I need to do. I hope that I can describe it as best as I can.

    I have 2 independent offices. They are 2 separate businesses and have different owners. The owners agreed to share each others WAN connection to fail-over, in case one is down. They have different ISP's (one ADSL the other CABLE and T1(coming from a 3rd office, bit in this scenario irrelevant)).

    So this is the setup: Office1 has ADSL. Office2 has CABLE and T1 (from 3rd office as failover).

    Now, I have setup in Office2 the failover between 2 WAN connections, and that is working good.
    I need to tie in Office1 to also share the WAN connections of Office2. Also, Office2 will need to be able to use the WAN of Office1 in case the 2 WAN connections of Office2 fail.

    As far as I know, I can do this with VLAN's on the respected firewalls and pass the traffic thru to the other pfsense box (in both cases). But one thing I am not sure about, how do I handle the NAT? I want to avoid double NAT at all cost (because of VoIP). Both providers (ADSL and CABLE) will give me a second DynamicIP.

    I hope that I explained my scenario and that its understandable. Any ideas?

    Just to explain, the area where the offices are, is old, and both internet connections (more so the ADSL) are not stable. Since I am supporting both locations, I wanted to minimize the downtime for them. They are dependent on the internet connections to do their work.

    I hope somebody can give me some pointers, maybe even a how to …


  • I assume they are in the same physical location or close enough to share LANs.

    I have a similar setup using one pfSense installation and 4 NICs.  Two WAN NICs and two LAN NICs.  Each LAN is different and cannot communicate with the other, however, they have independent WANs when both are up, but both share WANs if and only if there is a member down situation.

    If you require incoming connections (like a VPN or web server), it gets a lot more complicated, but not impossible.

  • Hi,

    the offices are almost side by side. A cable is already in place.

    The problem is, they want to have their own separate routers. If there is an event were they have to disconnect form the other office for whatever reason, they can just unplug a cable.

    If it were just one pfsense box, that would have been a walk in the park, but with 2 pfsense boxes, I am not sure. My problem is, I have to avoid NATing and make sure, that all ports are passed thru, if a failover event occurs.

    Is it possible (I am confident that pfsense can do this with ease, I am just not capable to use the "pfsense-tool" properly … yet) and if so, how?

    If anything is unclear, please ask (I just added a schematic to my original post, hope that helps).

    I am hoping to get a few replies, thanks in advance!!!  8)



  • You can designate the link between the routers as WAN2 for both of them with a member down group rule.  Then create a firewall rule that allows traffic through WAN2 to either side's WAN but not their LAN.

    It'll take a few minutes of planning, but that's how I would approach it.  It's less a pfSense failover and more of a link failover.  This allows both routers to be independent of each other and route traffic appropriately.

  • I have been thinking about the setup of WAN2 and rules. I think I can make this work, I hope. A bit of trail and error.

    One thing is not clear to me, even if I set it up as Tim suggested, will the traffic not be NAT'd before it reaches the second router (in case of failover) and than get NAT'd again?


  • Hi,


  • You may have a double-NAT situation.  I don't have as much time as I'd like to dedicate answering your question, but IMHO I would look at how you can create a route to the failed router traffic across that link and then directly out the WAN2 link w/o NATing.

Log in to reply