2 pfSense boxes / 2 ISP connections / CARP on LAN Setup



  • Been working on this for a week or so and looking for advice OR a link if someone knows a different search term for this.

    We are replacing two Cisco boxes with two pfSense boxes and need to replicate the functionality of the failover. I have the LAN side done with CARP and it works.  However I am having issues with the WAN side. The current Cisco is setup with the CABLE WAN on one and the DSL WAN on the other. They use VRRP on the LAN side and then tracking to monitor the WAN connection and the Cisco will fail over to the second router/wan when the primary WAN connection goes down. Both ISP connections are single assigned IP so can't do CARP on WAN.

    CABLE WAN -> PRIMARY CISCO -> VRRP LAN -> LAN
    DSL WAN -> SECONDARY CISCO -> VRRP LAN -> LAN

    I am hoping to configure the same setup with pfSense but not sure how to configure the WAN failover - if we were using only one box that would be easy. I saw a post about splitting the ethernet connection from the modems and plugging into each router which would work I think but it adds in a point of failure with the switch between the routers and modems that I would like to stay away from.

    So, can I have two pfsense boxes each with a different ISP on each and have them route traffic to the backup ISP if the primary goes down?

    Ideally we would have:
    LAN failure - CARP kicks in
    HARDWARE failure - CARP kicks in
    WAN failure - pfSense routes traffic over the second pfSense/WAN connection

    Hopefully this makes sense :)



  • As far as I know there is nothing in pfSense that would do specifically what your looking for. With a carp setup the only thing thats going to switch the firewalls is a problem with one of the carp interfaces. The post you read about getting both firewalls on each modem is how I would do it. Im not sure what thread you where reading but in some senerios you can get around the extra switches. For example if either of the modems has more that one port you can just go direct modem to firewalls. If not a second option can sometimes be to break few ports off of your main lan switch into seperate vlans for the wan ports. That obviously depends on your switch capabilitys and available ports, but with that kind of setup, if the lan switch dies your kinda screwed no matter what so not really adding an extra point of failure.



  • That's what we did - we have two LAN switches so we created a small VLAN (3 ports) on each switch and put CABLE on one switch and DSL on the other. We will be scheduling a maintenance window in a couple weeks to go on site and test the various failover scenarios. For now CARP is running great and the secondary pfSense has their WAN ports disabled until we can test fully.


Log in to reply