I recently setup a pair of pfSense appliances in HA in my home lab. The failover works if the primary appliance goes down, but I was wondering if I could trigger a failover if the WAN interface on the primary went down. For example, say someone unplugs a cable connected to the primary’s WAN interface. On a Cisco router, I would create a tracking object and use that to change vrrp so that the secondary router picks up the master role.
I realize that it’s less likely that only the WAN interface goes down, but I was wondering if pfSense had an answer to this. I think I could disable ‘static route configuration’ sync and do something with ‘Gateway Groups’, but I’m hoping there is a better answer.
I don’t think so, it can not partially fail over.
I agree with Tom,. I don’t think you can do that.
I am curious though to see why you would want to fail-over the whole pfSense box to another box in the event of a WAN failure when in fact the gateway groups are intended to handle that scenario that you mentioned ?
I have 3 lines at work and I put them into a single gateway group, which is then shared across our 2 HA pfsense boxes. In the event that one fails, our gateway group handles the failure beautifully and picks the next route down the tier list. If one of the pfsense boxes fails then that handles really well too and fails over to the backup.
The only thing I would mention when working with HA and multiple gateways, is remember to also assign a CARP IP to your router/WAN interfaces too, even if they are just a private ip like 192.168.1.2 etc that then connects to your ISP router.
192.168.1.1 = ISP router
192.168.1.2 = Your CARP “virtual” IP shared between your HA pfsense boxes
192.168.1.3 = pfSense - Master
192.168.1.4 = pfSense - Backup
and also make sure you sync your states as well. That way your users won’t notice the switch over when one box fails over.
Another bit of advise as well is to think about your single point of failure and where you want to end that. Most ISP’s only supply 1 router, so that’s usually your single point of failure, which is why we have multiple ISP’s with multiple routers at our work.
We take a single cable from each pfsense box and run that directly into the ISP router.
Obviously if someone unplugs that cable, which should be super rare if your are controlling access to your critical hardware etc, then yes that gateway goes down when your other pfsense box see that it’s up.
I don’t think you can really get around that without using a switch in between perhaps, but then you are only moving the problem further up the line doing that and introducing another single point of failure too. Maybe consider aggregated links for your ISP router perhaps ?
Thanks for the replies. This question just came out of curiosity. Until a week ago, I hadn’t played with CARP interfaces and was wondering how they compare to VRRP or HSRP. Please don’t take this as a slight against pfSense. I love my pfSense appliances, and I wouldn’t change them for anything!