Dual Failover Pfsense with bridged WAN?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

MACscr

Member
May 4, 2011
119
3
18
I am going to try and break question into a few different blocks order to make it a little easier to organize.

I have two pfsense firewalls with 4 x 1g ports each and 2 x Layer2 LB4 switches and the plan is to have a one network drop from my colo into each firewall (total of two drops), then have a connection from each of those into each one of my switches in order to use carp for failover purpose. The switches would be in a active/backup mode. My switches then would be cross linked together with a single 10gb connection (they dont stack).

Now with my current ip allocation with from my colo, they cannot peer with me and I have no interested in doing 1:1 NAT. I was told that I might be able to put the pfsense device into a layer 2 mode and simply do what they called a transparent firewall between the wan and lan ports. This appears to be called a bridge within the pfsense docs and would allow me to use my public ip's within the network behind my pfsense devices. I do know that i would then probably have to run a firewall on each server, but thats not an issue.

With the above said though, I had originally planned to bond 4 nics on each of my hosts using *nix bond-mode 6 (autobalance) with 2 nics being connected to each switch and then setup 3 tagged vlans (lan, cluster, storage). With doing a transparent firewall on the switches, would it still be possible for me to do the vlan's like I planned? I was thinking of adding an 4th vlan which would be vlan1 and the default vlan for anything thats not tagged, thus would then be the wan traffic. I think this is possible on my switches, but as many of you know, the LB4 docs are pretty lacking.

Would this even work? I will try to provide a network diagram as soon as possible to clarify the setup a bit better. I am really hoping this can work as I have really been struggling with the network design of this setup and I want as much performance and high availability as possible, but I am limited by my knowledge, equipment, and what my colo provider will allow.

Thanks so much for your time and feedback!
 

TangoWhiskey9

Active Member
Jun 28, 2013
402
59
28
If I had two switches and four gigabit ports per pfsense here is how I would do it:

One port from each to datacenter
One port from each to each switch
One port from each as a CARP

You could certainly use the new High Availability Sync in pfsense which is your plan and use 10 gig stacking.

If you are in a colo environment, did you ever ask about if you can run your own BGP? pfsense has an OpenBGP package but that setup is more intense.
 

MACscr

Member
May 4, 2011
119
3
18
Tango, you pretty much just repeated what I posted I was going to do. I appreciate the reply, but I was more hoping for answers to my vlan questions.

As I also mentioned, Im not going to be doing my own BGP because i dont have my own subnet. Colo isnt their main thing and they just assign ip ranges, so not much security and multiple clients in the same vlan.
 

Lost-Benji

Member
Jan 21, 2013
424
23
18
The arse end of the planet
I can understand that you wish to have redundancy and that's fine but I would be starting with a single PFSense box feeding BOTH network like it is designed to do then simply work on duplicating the PF box in parallel/tandem.
 

MACscr

Member
May 4, 2011
119
3
18
I can understand that you wish to have redundancy and that's fine but I would be starting with a single PFSense box feeding BOTH network like it is designed to do then simply work on duplicating the PF box in parallel/tandem.
Can you tell me why you would recommend that versus the HA feature of pfsense? Also, wont i need to use the HA feature of pfsense in order to have a single gateway for both the systems that wont use public ip addresses and will be NAT'ed?
 

rnavarro

Active Member
Feb 14, 2013
197
40
28
From my experience using PFSense HA you're going to need multiple IP ranges and that your provider route some IP ranges to you.

The smallest routing allotment you're going to need is a /29, which is 5 usable IPs. (6 actually, but -1 for the upstream gateway)

Additionally, you'll need your actual usable IP allotment.

That will give you:
1 Public IP pfSense1
1 Public IP fpSense2
1 Public Virtual IP
2 Free IPs

Now, the provider will route your additional subnets to your Public Virtual IP.

Once your usable IP allotment is routed to your Public Virtual IP you can then redistribute that as you see fit behind your pfSense nodes using a single flat VLAN or breaking it up (depending on the size of the subnet they give you)

For your 3 vlans (lan, cluster, storage) which need to be able to access the internet?
Do you need both switches for redundancy or is that for performance?
Since your switches don't stack you'll have to setup STP on them to use them for redundancy purposes.

VLANs are completely independent of putting the pfSense into transparent mode. When you do that it essentially becomes a layer3 switch...that is...it bridges the two interface and provides firewalling. You can still setup 3 VLAN interfaces on the pfSense you'll just have to decide which VLAN you want to bridge with the WAN interface.
 

MACscr

Member
May 4, 2011
119
3
18
None of the vlans would need access to the internet (well except the default/native vlan that would only be used for wan). I only wanted the pfsense device access to the vlans so that I could access them through openvpn for management purposes. Id rather avoid the peering route so that I dont have to get a whole new ip allocation (I currently have 2 allocations of 24 ip's) that are more just in a range and not their own subnet.

The purpose of the 2 switches is for performance AND redundancy, though redundancy is the more important factor.

Very rough overview/idea (though I dont have a wan "vlan" setup in it):