pfSense High Availability with only one public IP address

Hello everyone,

I’m a student and currently learning pfSense. I found the LTS videos very useful and that’s how I found out about the forum. For my project work I’m trying to create a pfSense high availability configuration and I could use some help.

My main problem: I only get a single public IP address from my ISP. So now I am trying to cobble together a workaround…

I’m already running two functioning firewalls.
The master firewall runs virtualized with UNRAID and has a Intel i350-t4 NIC.
The backup firewall is a bare metal installation on a Fujitsu S920 also with a Intel i350-t4 NIC.

From my ISP I have VDSL modem to which the master firewall dials in via PPPoE and gets a public IP address. But I can’t dial in simultaneously with my backup firewall to get a second public IP address. Either my modem or my ISP doesn’t support this.

And that’s where the botch starts that I’m trying to get to work… My modem is connected to a dumb switch. The WAN interfaces of both firewalls are connected to this dumb switch. The master firewall dials in via PPPoE and gets a public IP address.

On the backup firewall I configured the WAN interface as DHCP. At the same time, I am spoofing the MAC address of the master WAN interface on the backup WAN interface. Additionally, on the backup WAN interface under “Protocol Timing”, I set “timeout” to 1 second and “retry” to 1 second. That way, I hoped to achieve that the backup WAN interface will always keep asking if it can get an DHCP address.

If my master WAN interface now dials in via PPPoE, my hope was, that the dumb switch transmits the same public IP address to both WAN interfaces due to the spoofed MAC address.

Unfortunately, it isn’t working so I would like to ask if you can help me to get my botch working. Or if there is a completely different workaround to implement High Availability with only one public IP address.

Thanks in advance!

I don’t think there is a way to get that working with HA.

Thank you. That is a clear statement to work with. My next idea would be to use the ISP provided router instead of the VDSL modem. Then the ISP router would be my gateway and I put both my pfSense firewalls behind the ISP router with private IP addresses. The two WAN interfaces of my firewalls then work with private instead of public IP addresses and I try to implement the high availability setup that way.