Loadbalance / CARP over WAN (different GEO locations)

  • Greetings,

    I would like to loadbalance / failover my EMAIL SPAM FIREWALLS between two geographical locations.

    Setup / What I have to work with:

    • Sites are redundant (PRIMARY & Secondary)

    • both sites have a pair of pfsense firewalls in CARP configuration (local)

    • Email SPAM firewalls are on the WAN side of the pfsense boxes

    Now, Since both locations already have CARP setup, could I load balance a single VIP between locations over the WAN?  The VIP would be specifically for the EMAIL SPAM Firewalls.

    Thoughts on how best to do this…?  Oh, and worth noting, that the EMAIL firewalls do NOT have to stay on the WAN side if that makes it easier.

    Thanks ahead of time


  • Depends on how your routing works. Generally speaking, no, not without source NAT to one side or the other (which is bad for anti-spam appliances), and not in a way that's geographically redundant, where using a single public IP. Multiple MXes with separate IPs is the best if not only option for redundancy. There are options, tends to get complex though. Probably more than you'll find reasonable help with on a forum because of the complexity. Would be a good fit for professional services.

Log in to reply