pfSense – How to Set Up a High Availability Cluster

pfsenserouterswitchwan

I'm setting up a High Availability Cluster with two pfSense SG-4860 routers. I have a question about setting up the network. Here is the diagram they provide:

I have a question about the WAN part. One of their prerequisites is:

A High Availability cluster needs three IP addresses in each subnet along with a separate unused subnet for the Sync interface. For WANs,
this means that a /29 subnet or larger is required for an optimal
configuration.

My question is: does this mean I need three external IP addresses from my ISP, or is it possible to do these internally with one external IP address from the ISP? Which would provide the best solution? I guess I'm just confused when it comes to this part of the network. Any feedback would be appreciated.

Edit:

I found this link on Super User: Can an ISP provide two static IPs over a single cable? Is this generally the way a network handles more than one IP address from an ISP?

Best Answer

The requirement is that each router have its own IP address (that's two), and there needs to be a virtual IP address (that makes three). If you are doing this on the public side, you will need three public addresses from your ISP, and that will require a maximum mask length of /29 since /30 will only give you two usable addresses.

I'm not sure what you mean by, "routing these to the switch," since switches don't know anything about IP addresses or routing.

Related Solutions

Cisco PBR verify-availability with interface instead of next-hop

As discussed in chat, PBX / SIP traffic is unique to an IP host route in your case. Therefore, you can remove PBR and use tracking objects on overlapping static routes, which go out different dialer interfaces to solve the problem.

ip route 89.123.45.10 255.255.255.255 Dial0 track 1 1 name PBX_Pri
ip route 89.123.45.10 255.255.255.255 Dial1 track 2 10 name PBX_Bak
ip route 0.0.0.0 0.0.0.0 Dial 1 track 2 1 name Data_Pri
ip route 0.0.0.0 0.0.0.0 Dial 0 track 1 10 name Data_Bak

Pfsense and two networks

Does my default WAN port need to connect to a WAN port?

No, you don’t need to. WAN, in this sense, is just blocking inbound requests by default. I’ll assume the reason you’re using pfSense is to perform routing functions between those 2 networks (?). If you aren’t using it for any real firewall functions, then you would be alright to, technically, just use multiple LAN interfaces.

I assume routers in order to connect to each other requires a WAN to WAN connection?

I’m not entirely sure what you mean. If you are talking about needing to connect pfSense to your ISP connection, then no.

Remember one persons WAN is anthers LAN. In this sense, your Cisco Firewall’s WAN is the ISP, and it’s LAN is everything behind it. Your pfSense’s WAN is the Cisco Firewall, and it’s LAN is all networks residing behind it.

Best Answer

Related Solutions

Cisco PBR verify-availability with interface instead of next-hop

Pfsense and two networks

Related Topic