2 ISPs, 2 pfSense routers, RIP failover

New user here. Thanks for the join. Watched many Lawrence videos but can’t fine the desired solution to this. I’ve have 2 ISPs (Comcast & Starlink). I live in an area that loses power a lot. Comcast is my primary high speed service but goes down a few hours after a power failure. I installed Starlink as a backup that works very well. These 2 services enter my property at 2 different locations ~500ft apart. I have a pfSense router for both ISPs. The router serving Comcast is the DHCP server. The router serving Starlink just forwards traffic if you use it as the hosts default router. When Comcast fails, the link between the router and the cable modem stays up but reachability fails. When this happens I would like to forward all host traffic to the Starlink service. When Comcast comes back up I’d like to use that service. Currently I’m solving this only on a few hosts by changing their default gateway (static dhcp, manually, etc,) to Starlink. This works fine, but I’d like to automate it. I’d like to solve this as simply as possible. I’d rather not use vlans, carp, load balancing or any other complex high availability failover mechanism. I’d like to solve this using a simple routing protocol (e.g. RIP) between the 2 if possible but open to other suggestions. The desired behavior is to have the Comcast router detect reachability to the default route is down (using depinger, etc.) mark the interface as down, then send host redirects to the Starlink as the default router. When reachability returns for Comcast stop the hosts redirects. I’d like to use RIP in combination with something like depinger to mark the wan interface down. Is this possible with pfSense?

I don’t think you will be able to use 2 different pfsense firewalls and have automatic failover like you are wanting. There is great documentation on multi-WAN setups and HA setups with multi-WAN . The simplest solution is to setup a single firewall and configure a gateway group and set the gateway group as the gateway in your interface rules. You can set which WAN in your gateway group to make sure your primary is always Comcast.

Tom has a great video on how this is done. (It says load balancing but he goes over regular failover)

This would make things a lot easier if you just had one router for both ISPs. Is this a possibility? I know this doesn’t answer your question, but just tell us if that’s possible to consolidate that. Fail-over would be a lot simpler to configure. Yes, you can do this with two pfsense routers, contrary to the other comment, but man are you going to add so much unneeded complexity.

Thanks for the responses. Unfortunately the service entrance for Comcast and Starlink are ~500ft from each other in separate buildings separated by a wifi beam on the same broadcast domain. I could probably use a single pfsense router and cobble together a vlan to the Starlink router and use a HA setup, but I was hoping to avoid doing this. I think this can be done with something like icmp host redirects to a secondary default gateway in the case when the reachability for the primary default gateway (Comcast) goes down.

Are devices accessing each router from either building? Or is it just the starlink that’s 500ft away in a separate building?

All hosts in all buildings (4) can access both routers. The way I solve the problem now is when there’s a Comcast failure, I modify the static dhcp leases for hosts (computers, phones, etc.) that need access via Starlink and add the ip address of the Starlink router in the gateway field and renew the lease. DNS ip addresses are fixed to well known dns servers. This works fine because there’s only a handful of devices, but it would be nice to automate it.

I have done some experimenting with something like this, because I’d like to find a way to do a degenerate form of HA when I can’t get enough WAN IPs for CARP. The idea is to have one ISP per firewall, primary and failover (not load balanced) and cross-route traffic over what would be the SYNC connection when needed. I haven’t had a chance to get too far, but I did verify the ability to do basic multi-wan in that configuration.

In your case you simply create a manual gateway on the primary firewall pointing at the secondary over the main LAN, then set up a multi-WAN failover using the main ISP and the new gateway. All clients point to the primary firewall. This way you’re only using the one site link, and while traffic from the remote (Starlink) end will traverse it twice in the case of a main WAN failure, it’s of course limited to the Starlink bandwidth (x2) anyway.

1 Like