pfSense in active-passive failover with single WAN?

Shad · 28 Dec 2012 at 22:39

From the information I've researched so far, I don't think this is possible to achieve with a single DHCP leased WAN IP address. But has anyone here done something like this?

My modem is connected directly to the physical switch in a VLAN, which has the LAGGs for both my ESXi hosts configured with a vSwitch in the same VLAN. pfSense is then routing between this vSwitch in the WAN VLAN to the rest of the LAN. This is working nicely and will 'failover' if I manually vMotion the pfSense VM to the other host (my ESXi hosts don't share the same hardware config or datastore so FT and automatic vMotion are out), but what would be cool is to have a pair of pfSense VMs running simultaneously sharing their config.

I'm doing this with Zen Load Balancer - when one is down the heartbeat between them fails and the remaining server automatically ups the interfaces and claims the IP addresses, and only a few packets are lost. I'd love to achieve that with pfSense too...

Any suggestions?

PistolPete · 29 Dec 2012 at 21:39

I'd start here:

http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)

Shad · 30 Dec 2012 at 10:27

Pete, standard CARP isn't going to work with just the one WAN IP address. The question is more about achieving this by some other means that I haven't thought of/found yet

iaind · 30 Dec 2012 at 10:31

Just get a small block of static IPs from your ISP

Shad · 30 Dec 2012 at 10:37

That would be nice if the ISP wasn't Virgin Media. This is only for my home 'lab'

PistolPete · 30 Dec 2012 at 17:23

Shad said:
Pete, standard CARP isn't going to work with just the one WAN IP address. The question is more about achieving this by some other means that I haven't thought of/found yet

Worked fine for me using Virgin Media 50Mb using the example in the link I gave you. Your problem is that you are not using a router in between your modem and your kit - the cable modem is zero IP bridged so the device on LAN side of the modem gets the public IP. If you then try and move that to another device.....it wont simply wont work without a restart due to the new MAC address, which also gives you another public IP.

I used HyperV rather than ESX and I got it working with both 2x physical NIC (1 for each pfsense instance WAN port) and a physical switch as well as using virtual NICs on the same virtual switch bound to a single physical NIC. This kinda defeated the point of the CARP but then so did having them on the same HyperV host! The point was that I wanted to get it working with the limited kit I had.

EDIT: Apologies, having just found the old Visio diagram it was setup on my Plusnet ADSL line where I had a /29 assigned not my cable service which was on a different LAN subnet.

Basically, with Virgin you are kinda stuffed.

Shad · 30 Dec 2012 at 22:10

Np, thanks anyway Pete

With regards the MAC address, the WAN interface in pfSense has the MAC spoofed to match an old 10/100 NIC I first started using with NTL about 10 years ago. If there was a failover pfSense with the same MAC configured for its WAN interface then I'd have thought that would work as far as not confusing the modem?

Bit of a moot point though, I'll have to stick to migrating the VM as and when I need to. Terribly low tech :rolleyes: