Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense vs cisco 1811 for remote link failover

    Routing and Multi WAN
    2
    4
    1994
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tacfit
      last edited by

      Hey all, I love my pfsense boxes, but have run into a bit of a problem. I've attached a CRUDE image below. The blue network is the LAN. Forgive my artistic failings, I'm an IT Manager.

      Current Situation
      We have a main office, and a dedicated fiber remote link to a data centre. In the main office, the remote link is just patched straight into a switch, and the data centre end is viewed as part of the LAN. There's no routing device needed at present, on the main office side.
      In the data centre, the remote link connects to a pfsense box, which has an IP in the LAN as stated above. There's also a protected network, for our web servers, as well as a connection to the internet.

      This works wonderfully, except that we've had some provider problems with the fiber link lately, and need a failover option, in case the fiber is down.

      Proposed Situation
      I've been proposed by a company to use Cisco 1811 devices at either end of the link, that will handle the failover to a VPN connection. However, I was hoping I could accomplish this using pfsense boxes instead. I'd obviously need one in the main office side (where we currently don't need one) that would handle the failover from that side, and the box in the data centre (or a second box) would be needed to failover from that side

      I'm just not sure how to configure the failover, whether the pfsense load balancer can handle failing over to a VPN, and so on. Can any of you wise folk share your advise?
      ![new remote link failover.JPG](/public/imported_attachments/1/new remote link failover.JPG)
      ![new remote link failover.JPG_thumb](/public/imported_attachments/1/new remote link failover.JPG_thumb)

      1 Reply Last reply Reply Quote 0
      • T
        tacfit
        last edited by

        Any takers? The complications I can see involve making the process transparent.

        I could use 2 pfsense boxes, at either end…

        1 is the main gateway, and has a WAN line that goes to the remote link. The second WAN line goes to the second pfsense, which dials the VPN connection. That way it could balance between the two. However, at the data centre location, I don't know how to load balance as we're essentially looking at load balancing on the LAN line interface, rather than with WANs.

        1 Reply Last reply Reply Quote 0
        • T
          tacfit
          last edited by

          Bump. Any help? Thanks guys.

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            Well i "think" it should just be possible with the current loadbalancer/failover pools.

            If you read this thrad:
            http://forum.pfsense.org/index.php/topic,9422.0.html
            I describe a way to add gateways that are not in the dropdown list.
            The primary entry would be the other side of the fiber-connection.
            The secondary entry would be the other side of the VPN connection.
            As monitor IP you just set the other end of the respective connection.

            Maybe you could just test it first with 2 pfSenses?

            Also i'm not sure if there are some problems.
            I've read a few threads about problems with failover, that it doesnt fall back after the primary connections comes back.
            Although i suspect the people reporting the problem expected that existing states over the backup tunnel get redirected to the main-connection after the mainconnection-comes back up.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • First post
              Last post