Two internet connections into two Pfsense failover box



  • I currently have two internet lines and using a router that can accept two WAN. Now I want to convert to using two pfsense box for failover.

    My question: is it possible to hook up modem1 into both pfsense routers at the same time, and also hook up modem2 into the other pfsense box, then set up sync between the two pfsense routers? The modems only have 1 port, so I'm not sure if using a switch to get more ports would work.



  • Yes, you can use a switch between the modem and your firewalls. You could vlan a single switch for both WANs, if you wanted. The sync could be a crossover.


  • LAYER 8 Netgate

    To do this properly you would need at least three public IP addresses from each provider on each modem (Usually a /29).  Yes, a switch would be better.  You could get a small, managed switch and put three ports on a blank VLAN for one provider and three ports on another blank VLAN for the other.

    I would recommend you get the pfSense book (included with gold membership) if you are going to set up pfSync/HA/CARP.

    SEE ALSO: https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)



  • Thank you for the replies. My internet provider only gives me 1 public IP per line, so is there any way around this 3 public IP requirement for each CARP node?

    So for this to work, I would need a managed switch with at least 6 physical ports, correct? 2 ports for the 2 modems, and 4 ports going into the two pfsense routers.

    I'd gladly buy that pfsense instruction book, but I'd like to first know if my situation is possible with only 1 public IP for each connection.


  • LAYER 8 Netgate

    On 2.2.X It is apparently possible to use private IP addresses on the interfaces and the single public as the CARP IP address but it breaks a bunch of things like the secondary being able to resolve names, get updates, etc while it is the backup node (because it doesn't have a public IP address on WAN at the time).

    Edited: s/2.3.X/2.2.X/



  • @Derelict:

    On 2.3.X It is apparently possible to use private IP addresses on the interfaces and the single public as the CARP IP address

    Thank you, this is awesome. I'll go ahead and proceed with setting up this dual WAN/pfsense configuration.

    but it breaks a bunch of things like the secondary being able to resolve names, get updates, etc while it is the backup node (because it doesn't have a public IP address on WAN at the time).

    I'll have my own separate DNS/DHCP and domain controller server, so pfsense will not be handling this. It's really meant to be only a firewall and failover internet connection. So to confirm, even with 1 public IP per line, I'll still be able to get uninterrupted internet connection for the whole network if the primary pfsense box fails, correct?


  • LAYER 8 Netgate

    Other people who have done it might be better-suited to respond.  I did it in a lab just to see if it was possible and it seemed to work.

    If it's important enough to need redundancy/failover it seems it would be important enough to do correctly by getting /29s from your providers.



  • You can do it in 2.2.2 I had it in production for a bit, but you can't do failover properly- apinger sources from the bogus IP. I had to mark it up and manually fail over. Ended up getting more IPs and putting in a feature request to be able to point apinger to the CARP IP.


Log in to reply