HA Physical Wiring



  • Hey guys.  Looking to setup two pfsense box's in HA.  I have 3 ISP's, all of them only provide a single ethernet handoff from the ONT.  They are fighting me on providing another ethernet handoff as its required for the 2nd pfsense box.  My question is how do most of you handle this situation?  Do most put a switch after their ONT/Dmark, or are most ISP's willing to provide 2 ethernet handoff's?

    I appreciate the input!



  • I use a switch, or, a stacked pair for switches for redundancy.

    fw = firewall
    sw =switch

    fw1 to sw1
    fw2 to sw2
    sw1 and sw2 in a switch stack.

    Then simply separate out chunks of ports using VLANs (doesn't matter what VLAN number as long as it's unique and not used elsewhere on your network), e.g.:

    WAN - sw1 ports 1-2 and sw2 ports 1-2
    Plug fw1 WAN into sw1 port 1 and fw2 WAN into sw2 port 1
    Plug ISP WAN gateway (WANgw) into sw1 port 2. If sw1 fails, you'll have to manually move the ISP WANgw to sw2 port 2.

    Rinse and repeat for WAN2

    WAN2 - sw1 ports 3-4 and sw2 ports 3-4
    Plug fw1 WAN2 into sw1 port 3 and fw2 WAN2 into sw2 port 3
    Plug ISP2 WAN2 gateway (WAN2gw) into sw2 port 4. If sw2 fails, you'll have to manually move the ISP2 WAN2 to sw1 port 4.

    Rinse and repeat for DMZ, WIFI, DMZ2, etc.

    Now, if WAN and WAN2 are used in a gateway group, called say WANgroup, with propwer outbound NAT, CARP and rules using the WANgroup as the gateway outbound then outbound internet will work if:
    sw1 fails, fw1 will be offline and WAN will fail, but fw2 will take over and WANgroup will use WAN2 for outbound internet.


  • LAYER 8 Netgate

    Outside Switch.

    ONT <-> Switch <-> HA WAN ports.

    You don't want them doing it anyway. They'll just screw up your CARP multicasts and blame your gear (pfSense).

    The only place I was ever offered a true HA solution from the get-go was a colo at www.supernap.com.

    Stacking switches with a Multi-WAN on each stack member is about as good as you can get at the typical endpoint.


Log in to reply