Connecting Layer 2 Connections in Failover

Networking & Firewalls
1

Morning,

Looking for some thoughts on options to configure a setup I’m working on.

We have a site with Meraki network and we’re replacing the customers current MX and they’ll be routing via Layer 2 connections through our DC. We have a primary and backup layer 2 connection for them, but i want the traffic to route to our firewall (pfsense) on our virtualisation platform and provide failover to the site.

The site is managed office, and so there are requirements for 1:1 NAT going through this connection, so this needs to be taken into consideration. Second to that, there is also a second site with same connectivity planned, that I would be looking to manage through the same firewall so routing between the sites is possible.

I had been looking at putting in a gateway at the site to load balance the 2 layer connections, but i figure this could get messy with all the NAT requirements.

Thanks in advance, just looking for some ideas or if anyone has any experience of this sort of connectivity.

2

I am not completely clear on all what you are asking, but pfsense can be configured to route public IP’s
https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html

3

Sorry, that many things i’m trying to figure with this I’m getting a bit lost.

I’m interested in trying to figure out ways to make the connection from a remote site with 2 layer 2 connections to the firewall work and if anyone has any recommendations?

I have seen some stuff on LAGG and LACP to make this work. I had been looking at a Unifi Security Gateway Pro at the site with the 2 layer 2 connections as WAN ports to manage the failover. But i’m not quite sure how routing NAT 1:1 would work in that scenario, which is why i started looking at other options and the LAGG/LACP configuration could potentially be an option I guess, but a little bit above my current networking experience at present.

4

Maybe this article from the pfsense documentation will help with some ideas.
https://docs.netgate.com/pfsense/en/latest/highavailability/layer-2-redundancy.html