I have two Linux box running PFsense, one of them is a master and the other one is a backup.
The master is having IP 192.168.1.2 and backup is having IP 192.168.1.3. I have created a VIP
192.168.1.1 which is the default gateway for all the systems in the LAN.
In both master and backup I have two interfaces WAN1 and WAN2 which connects to two other Linux machines (not running PFSense) which in turn connects to the ISP's. I have created gateway groups for load-balancing and failover.
All the systems in LAN is able to access internet even if any of the ISP system or the firewall system (PFSense) goes down. The below architecture works great for load-balancing between ISP's and failover.
The problem happens with SSH connections. If any of the system goes down the SSH connection breaks, so I have to restart the connection.
What change is required in the architecture so that the SSH connections does not get interrupted even when any of the systems goes down?
Best Answer
Assuming that the WAN1 and WAN2 interfaces of both machines have public IP addresses corresponding to the ISP, you will need to ensure that you also have a VIP on the WAN side for both ISP networks configured in CARP, as setting gateway groups does not appear to also create a VIP.
e.g.
For ISP-1 you may have:
This ensures that the IP source address will not change when pfSense migrates the session over. You would then need the same type of config for ISP-2.
The problem is that whilst this will maintain the SSH (or any active TCP session) for a fail over of PFSense Master to PFSense Backup, it will not help if the active ISP-x fails as your IP address range for each ISP is going to be different preventing pfSense from maintaining the session.