Hello all,
Was looking to see if there is a way to have two pfsense boxes setup where 1 is primary and 1 is secondary. I don’t necessarily need High Availability, but want the second one to be used if the 1st dies. I know High Availability for pfsense needs at least 3 static IPs, which we don’t have.
My goal is the have an the following:
ISP - > Unmanaged Switch → pfSense 1 & pfSense 2 → LAN Switch
For reference, these are Netgate 8200 boxes.
I’d argue that it would be simpler to take the backup of the primary using the auto config backup feature and add it to the secondary if/when it dies. Just have the spare sitting in the rack, connect it to the internet, apply the primary config and you are back up and running. About 5-10 minute downtime.
So, basically have it setup in the rack, but when internet goes down, try and have someone (non-technical) unplug the one cable from the primary, and plug it into the secondary, correct?
**FYI, this customer is the middle of nowhere, and an hour drive to get to. We might be able to label the cable the make it easier.
I mean… yeah, someone has to move the cables and it can’t be your MSP because you are an hour away. What I would do is setup the secondary to allow access to the web UI over the internet (NAT). Then when crap hits the fan have them switch over the WAN and LAN. You get access the the web UI with the public IP and apply the latest backup with the ID and keys and you are up and running again.
Trying to avoid HA but still wanting failover always ends up a bit hacky, and this thread kind of proves it . I’d probably go the same route with config backups and a cold standby, especially for a remote site. Labeling cables and keeping the swap simple feels more realistic than overengineering. Seen similar logic in Phonexa setups where simple fallback plans work better than complex automation.
In our production environment with Cisco routers, we run a mix of different configs. Our larger sites have dual routers, dual WAN circuits, and HSRP for a seamless failover if the primary route out goes down. For smaller locations with fewer users, we rely on an offline (but powered) spare, good labeling of cables and repurposing the OOB management interfaces to connect to one of our VLAN’s. From there, it’s fairly simple to manually sync up configs between the online router and the spare - we just have to make sure to actually do it! If a hardware failure occurs, it only takes a few minutes to swap everything over and get them back online.
Doing HA using HSRP/VRRP on the LAN side with a single WAN connection can be done cleanly, but you’d need to run it through a switch to each router and ideally have multiple public IP Addresses through the provider with each router/firewall having a unique public IP. You’re still left with a couple of single points of failure however, so keep that in mind.