Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall-Cluster / Active-Active / Link Aggregation… Questions

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 6.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      KoalaTNR
      last edited by

      Hello,

      we plan to replace our current Firewall / VPN by PFSense with OpenVPN. We want to install 2 servers as a cluster. But I've many questions.

      Is it possible to run the two firewall nodes in active-active mode or only in active-passive (failover)?
      If active-active is possible: Is it possible to Load-Balance connection over both firewalls (not multi-wan-loadbalancing)?

      FreeBSD supports Link Aggregation. In WebGUI I can't setup LAGs. On Shell I can do this. Is it possible to use LAGs? Is LAG-support
      in WebUI planned?

      We've many (20) VLans e.g. Mgmt, DMZ, Server, Backup, User-Lan1-x. Is it possible to Setup an separate Management-IP, so that I can only configure
      from Mgmt-VLan? Do I need Vlans or can I also use one LAN (Firewall-Transfer-Network) and setup all rules on this interface?

      Greetings
      Thomas

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Active-active is not availlable as far as i know.

        If you cannot do something in the GUI then it's not supported.
        Since you can do it from the shell it's "possible" to do it.
        But you're on your own.

        If you want to restrict access to the webgui:
        Just create your rules so they are that only certain IP's / Interfaces have access to the webgui.

        something along the lines of:
        allow
        source: LAN-subnet
        destination: "! LAN-interface" (NOT the LAN-interface)

        At the bottom of all rules is an invisible block everything.
        So with this rule you would still allow access to everywhere (internet) except the LAN-interface addess.

        Use the Alias system if you have more complex destinations.

        You also might want to disable the "anti-lockout option" under advanced since without that pfSense would still allow access to the webgui even you dont have a rule that explicitely allows it.
        Just be aware that if you disable this option and you dont have a rule that allows access to the webgui you're locked out :)

        If you have multiple VLAN's you can configure them under interfaces –> assign --> VLANs.
        Each VLAN appears as seperate "Interface" in pfSense.

        I dont understand what you mean with your last question.
        Maybe a diagramm would help.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • K
          KoalaTNR
          last edited by

          Details to my last question:

          Firewall LAN-Interface: 10.10.254.254
          Layer-3-Switch forwards all traffic to extern to firwall-lan-interface (10.10.254.254)

          Sample:
          VLAN 1  10.0.0.0 ==> 10.10.254.254
          VLAN 2  10.0.1.0 ==> 10.10.254.254
          VLAN 2  10.0.2.0 ==> 10.10.254.254
          …

          Do I need Setup separate Vlans or can I use Aliases instead?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.