Pfsense vs cisco 1811 for remote link failover

  • Hey all, I love my pfsense boxes, but have run into a bit of a problem. I've attached a CRUDE image below. The blue network is the LAN. Forgive my artistic failings, I'm an IT Manager.

    Current Situation
    We have a main office, and a dedicated fiber remote link to a data centre. In the main office, the remote link is just patched straight into a switch, and the data centre end is viewed as part of the LAN. There's no routing device needed at present, on the main office side.
    In the data centre, the remote link connects to a pfsense box, which has an IP in the LAN as stated above. There's also a protected network, for our web servers, as well as a connection to the internet.

    This works wonderfully, except that we've had some provider problems with the fiber link lately, and need a failover option, in case the fiber is down.

    Proposed Situation
    I've been proposed by a company to use Cisco 1811 devices at either end of the link, that will handle the failover to a VPN connection. However, I was hoping I could accomplish this using pfsense boxes instead. I'd obviously need one in the main office side (where we currently don't need one) that would handle the failover from that side, and the box in the data centre (or a second box) would be needed to failover from that side

    I'm just not sure how to configure the failover, whether the pfsense load balancer can handle failing over to a VPN, and so on. Can any of you wise folk share your advise?
    ![new remote link failover.JPG](/public/imported_attachments/1/new remote link failover.JPG)
    ![new remote link failover.JPG_thumb](/public/imported_attachments/1/new remote link failover.JPG_thumb)

  • Any takers? The complications I can see involve making the process transparent.

    I could use 2 pfsense boxes, at either end…

    1 is the main gateway, and has a WAN line that goes to the remote link. The second WAN line goes to the second pfsense, which dials the VPN connection. That way it could balance between the two. However, at the data centre location, I don't know how to load balance as we're essentially looking at load balancing on the LAN line interface, rather than with WANs.

  • Bump. Any help? Thanks guys.

  • Well i "think" it should just be possible with the current loadbalancer/failover pools.

    If you read this thrad:,9422.0.html
    I describe a way to add gateways that are not in the dropdown list.
    The primary entry would be the other side of the fiber-connection.
    The secondary entry would be the other side of the VPN connection.
    As monitor IP you just set the other end of the respective connection.

    Maybe you could just test it first with 2 pfSenses?

    Also i'm not sure if there are some problems.
    I've read a few threads about problems with failover, that it doesnt fall back after the primary connections comes back.
    Although i suspect the people reporting the problem expected that existing states over the backup tunnel get redirected to the main-connection after the mainconnection-comes back up.

Log in to reply