Two WANs with different subnets from 2 ISPS; no balancing/fail-over
pfnoob last edited by
Hello, just a simple question as I am unable to find an answer here or in the docs (maybe someone can offer some links to this?): how can I use the same pfsense (2.2) machine for two ISPs if I got two /29 subnets from each of them? Already setup for one ISP, pfsense being the gateway, no NAT, and it is working fine.
Is this as easy as (I think it is):
-adding a second card with 2 NICs;
-plugging the second ISP in a port, the other to the switch (in a different VLAN) to get my 6 public IPS to a couple of servers;
-configure this second card with a WAN and a LAN just as in the first case, with different IPs, gateway and DNS;
-configure roughly the same firewall rules, accordingly, on this second WAN?
I am asking because I never tried it and want to be sure before I sign up with the other ISP; but I don't need fail-over or balancing (I guess, because I don't think there is an easy way without BGP in my case, please correct if I am wrong) for those servers (DNS, web, SFTP, email, etc). Just need the public IPs from those subnets, separated.
Also will pfblockerNG and snort work OK, with two WANs for both interfaces and no virtual-nothing?
Thank you. I love pfsense!
tim.mcmanus last edited by
This isn't tough.
You could do it ideally with three physical NICs on the pfSense box. WAN1, WAN2, and LAN. Both WANs will be gateways. You will need something to tell traffic to route to one or the other WAN from the LAN side, otherwise all traffic will only use one gateway unless you only expect incoming traffic, in which case incoming from either WAN to a LAN address would mean that the traffic would route back out the incoming WAN.
I don't think you will have ANY joy if you tried to BGP advertise a /29 anyway.
Sounds like you're talking about routed subnets. That would be four interfaces. The two ISP interfaces (/30s ?) and the two /29s.
As stated, you can do this with one pfSense. You would need to policy-route out the proper WAN port or you could NAT out either.
Note that there is nothing stopping you from using NAT for outbound traffic from one provider's IP addresses to the other's in a failover, emergency situation. You could:
ISP 1 addresses out ISP 1's WAN - No NAT
ISP 1 addresses out ISP 2's WAN - NAT
And vice versa. Nothing you can do about inbound connections other than change DNS.