Important
Netgate is offering COVID-19 aid for pfSense software users, learn more.
High Availability Configuration Example with Multi-WAN¶
HA can also be deployed for firewall redundancy in a multi-WAN configuration. This section details the VIP and NAT configuration needed for a dual WAN HA deployment. This section only covers topics specific to HA and multi-WAN.
Determine IP Address Assignments¶
For this example, four IP addresses will be used on each WAN. Each firewall needs an IP address, plus one CARP VIP for Outbound NAT, plus an additional CARP VIP for a 1:1 NAT entry that will be used for an internal mail server in the DMZ segment.
WAN and WAN2 IP Addressing¶
Table WAN IP Addressing show the IP addressing for both WANs. In most environments these will be public IP addresses.
IP Address |
Usage |
|---|---|
198.51.100.200 |
Shared CARP VIP for Outbound NAT |
198.51.100.201 |
Primary firewall WAN |
198.51.100.202 |
Secondary firewall WAN |
198.51.100.203 |
Shared CARP VIP for 1:1 NAT |
IP Address |
Usage |
|---|---|
203.0.113.10 |
Shared CARP VIP for Outbound NAT |
203.0.113.11 |
Primary firewall WAN2 |
203.0.113.12 |
Secondary firewall WAN2 |
203.0.113.13 |
Shared CARP VIP for 1:1 NAT |
LAN Addressing¶
The LAN subnet is 192.168.1.0/24. For this example, the LAN IP addresses will be assigned as follows.
IP Address |
Usage |
|---|---|
192.168.1.1 |
CARP shared LAN VIP |
192.168.1.2 |
Primary firewall LAN |
192.168.1.3 |
Secondary firewall LAN |
DMZ Addressing¶
The DMZ subnet is 192.168.2.0/24. For this example, the DMZ IP addresses will be assigned as follows in Table DMZ IP Address Assignments.
IP Address |
Usage |
|---|---|
192.168.2.1 |
CARP shared DMZ VIP |
192.168.2.2 |
Primary firewall DMZ |
192.168.2.3 |
Secondary firewall DMZ |
pfsync Addressing¶
There will be no shared CARP VIP on this interface because there is no need for one. These IP addresses are used only for communication between the firewalls. For this example, 172.16.1.0/24 will be used as the Sync subnet. Only two IP addresses will be used, but a /24 is used to be consistent with the other internal interfaces. For the last octet of the IP addresses, the same last octet as that firewall’s LAN IP is chosen for consistency.
IP Address |
Usage |
|---|---|
172.16.1.2 |
Primary firewall Sync |
172.16.1.3 |
Secondary firewall Sync |
NAT Configuration¶
The NAT configuration when using HA with Multi-WAN is the same as HA with a single WAN. Ensure that only CARP VIPs are used for inbound traffic or routing. See Network Address Translation for more information on NAT configuration.
Firewall Configuration¶
With Multi-WAN a firewall rule must be in place to pass traffic to local networks using the default gateway. Otherwise, when traffic attempts to reach the CARP address or from LAN to DMZ it will instead go out a WAN connection.
A rule must be added at the top of the firewall rules for all internal interfaces which will direct traffic for all local networks to the default gateway. The important part is the gateway needs to be default for this rule and not one of the failover or load balance gateway groups. The destination for this rule would be the local LAN network, or an alias containing any locally reachable networks.
Multi-WAN HA with DMZ Diagram¶
Due to the additional WAN and DMZ elements, a diagram of this layout is much more complex as can be seen in Figure Diagram of Multi-WAN HA with DMZ.
Diagram of Multi-WAN HA with DMZ¶