2 pfsense Boxes, different ISP's , lan failover redundancy

dslewis · March 25, 2021, 4:12am

Hi all,

So I’m trying to wrap my head around something with PFSENSE.

To give some context, at home I have 2 separate ISP’s with completely different static wan subnets, served using 2 different PFSENSE boxes. Both those boxes have several LAN vlans for different purposes, but the key to this discussion is that they both have a HomeLAN vlan. What I want to do is be able to have failover internet for that vlan/interface so that if one ISP fails or the PFSENSE box fails, the traffic will switch to the other. I completely understand that all sessions will of course reset, this isn’t meant to be a totally seamless switch, this is the I’m out of the city for a few days and I want to make sure the house doesn’t loose internet while I’m gone, and I don’t want to have to walk my wife through a physical switch over if at all possible

Previously when I had cisco boxes I used HSRP on that subnet, and trackers to monitor if each box had connectivity to the internet, if one failed the HSRP would flip over, and obviously my workstations used the HSRP address as the gateway.

So where I’m hung up is do I need HA for this?
If so does the sync virtual ip’s only sync the CARP ips ? Each box has a bunch of localhost ip’s for their corresponding internet subnets. and how would the LAN CARP IP know when to switch ?
or is it a gateway group ? but if it is how would you set it up across 2 boxes ?

I’m sure there has to be a way to do this, but I haven’t found that nugget of documentation yet that deals with this sort of configuration. Multi wan on one PFSENSE box, sure. 2 PFSENSE boxes with failover for HA (like redundant firewalls) sure. but not 2 with 2 different ISP’s and just trying to provide failover connectivity for surfing etc.

Thanks in advance for any suggestions you may have

LTS_Tom · March 25, 2021, 10:20am

Not sure if there is a way to make it work like that as HA expects the firewalls to be the same config with one being ACTIVE and the other being STANDBY and switching based on loss of the ACTIVE one.

dslewis · March 25, 2021, 12:18pm

Thanks for the reply Tom

I’ll keep digging and see what I find.

For what it’s worth the reason they are configured that way and not both ISP’s in to one box and HA’d is that they are PPPOE from the ISP’s so a combination of the PPPOE and only a /32 on the actual interface means I can’t do the HA on the ISP side.

Barrow · March 29, 2021, 3:26pm

I’ve used the LB on pfsense with 2x PPPOE with 2x OpenReach modems. Is this something you can do? And then just have a backup of the Config to swap it over if pfsense goes down

dslewis · June 12, 2022, 12:57pm

Sorry Barrow, I some how completely missed this comment.

So in your design the 2nd pfsense box becomes a “cold/warm” standby and just upload the config in the event the first one fails ? if I understand correctly?

Barrow · June 12, 2022, 1:22pm

Yea you should be able to do it like that.

So both ISPs go to 1 of the pfsense devices and the other can just be a cold spare

dslewis · June 12, 2022, 1:27pm

Ya that is the only way I’ve come up with too. I was trying to find a more hands off solution, so that when I’m on the road if something happened I wouldn’t have to try and walk my wife. or someone else through how to bring things back online. I get that it might be an odd use case.