[pfSense Support] Re: FW: [pfSense-discussion] fully redundant dual-WAN setup

Sat, 08 Aug 2009 08:43:09 -0700
From: Eugen Leitl [mailto:eu...@leitl.org] Sent: Friday, August 07, 2009 5:41 AM 

Is any of you running pfSense in a fully redundant hosting setting?
Care to share your setup?


I'm currently running two pfSense systems (2 NICs each) in a 
transparent bridge mode, as a poor man's failover. I 
currently have 3 VLAN-capable switches, I presume 2 would be 
enough, if properly partitioned.



Sometime next year I'd like to have a second 100 MBit/s 
Ethernet uplink added to the rack, for enhanced bandwidth and 
redundancy.
It looks like I no longer can do it with the transparent 
bridge setup, at least not utilizing the doubled bandwidth.



Can any of you point me to a network diagram illustrating 
such a setup, with two pfSense instances (how many NICs?) and 
two or three switches? I presume it needs carp+pfsync in 
order for it to work.


So far it looks like each pfSense instance would need some

5 NICs, there would be 2 switches each segmented into 2 
port-based VLANs (or tagged VLANs, in case of virtual NICs) 
and each server behind the setup would need 2 NICs. 

I am very sure the result is probably nonfunctional, due to 
network loops, and certainly suboptimal.



What do you do to prototype and debug your setup? Use Vmware 
ESX server (does ESXi work, too?). How you you test that the 
setup works?


Thanks.

--

Eugen* Leitl <a href="http://leitl.org";>leitl</a> 

    

We use these redundant setups 
(carp+pfsync+loadbalancer-in-failover-mode) extensively. Every pfSense 
in cluster has 5 NICs (LAN, VLAN, SYNC, WAN, WAN1). On LAN we have our 
server environment, most protected stuff. VLANs - clients. Use of other 
NICs is obvious.
Theoretically you could use only one switch but it does not make much 
sense in terms of reliability/redundancy. We use separate switches for 
every NIC (except SYNC which is just CAT5E cable). So, all active 
pfSense-boxes LAN interfaces go to one switch, passive - to another one.
Never played with firewalls withing virtual environment an I personally 
believe firewall should be stand-alone box.


Eugene.

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org















    











					Reply via email to