Network Setup with failover PFSENSE

Networking question here, it has me stumped. None of the existing firewalls have a secondary WAN2 Option.

I’m wanting to add a failover connection to my setup. Here is the current layout and new setup idea.


The pfsense box does not need to do anything other than failover the WAN connections. I’m not worried about the VPN’s not working after a failover to the second ISP. I got everything with the gateway groups configured and working. I’m mostly trying to figure out how to configure the LAN side and still pass through the statics to the existing firewalls. Any help or new ideas would be grateful. Thanks!

I don’t understand the question if the WAN1 goes down how would the statics be handled by the second ISP for WAN2?

Just want to make sure I understand this, you have PATs or NATs configured using public IPs from ISP 1 which route through to your routers. I’m guessing when you take WAN 1 down the systems that sit behind the NAT/PAT can’t get out to the internet, correct?

After sleeping on it last night, I think a network redo is going to be the best/only option. Here is what I’m wanting to do. I was reading up on virtual IP in pfsense and was curious if this would work. I would like to keep router 1 the main VPN (forticlient). If correct I should be able to push all traffic of the virtual IP to firewall 1 and keep the existing VPN/tunnels. When ISP1 goes down then ISP2 should be next in tier but will lose VPN connections (im alright with that). Let me know if im looking at virtual IP the wrong way.

Virtual IP has to do with two devices sharing an IP for redundancy across hardware. In your case you’ll only have the one.

Based on your diagram though it does look like you have NATs setup that will need to be able to failover. I would make sure those are one way (inbound) only and you should be ok.

Well, if I think I understand what you’re trying to do. You’ll want to configure gateway groups for failover. See Netgate’s documentation: Multiple WAN Connections — Load Balancing and Failover with Gateway Groups | pfSense Documentation on how to configure it. Also, if you haven’t read through this documentation: Multiple WAN Connections | pfSense Documentation I suggest that you go through it all as it might answer a lot of your questions. Pay particularly close to the policy routing and Using OpenVPN with Multi-WAN.

Thanks guys for the input. Time to experiment after hours soon!