Two PFSense on same network.

TType85

[H]ard|Gawd
Joined
Jul 8, 2001
Messages
1,492
Here is a pic of the setup
jodpWNr.png


We have our production servers in a data center and a backup server in another data center with a cross connect between the two. This second location is for disaster recovery. We have our ipsec vpn and about half a dozen external facing web sites now going through the current PFSense box. I want to have the 2nd PFSense box on the same subnet (10.150.0.x/23) with the different WAN connection.

(if Website A is 4.x.x.x and internally it goes to 10.150.0.50 I want the 72.x.x.x to do the same)

Current Software is ESXi 5.5 w/vSphere and replication. I currently have all VM's replicating daily to the DR site and the SQL server is mirrored using SQL Mirroring.

If the primary DC goes down I want to be able to VPN in to the DR site and be able to bring stuff up, hopefully without a ton of re-IPing..

Is this going to be possible? If so how do I set up the 2nd pfsesnses lan interface?
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
20,596
yes and no, not with some fun routing rules, your sites will only respond out on the gateway that traffic came in on. You could set up your 2nd PFsense with a static LAN ip, no DHCP and your internetl LAN IP's but unless the gateway is the same for your servers, you wont be able to access anything like RDC via the 7* pfsense. You could use VPN but now you need to do some pain in the butt routing rules i beleive for traffic to respond back via your 7* IP pfsense.

what you need to be looking at is dual WAN configuration using a single box with CARP for failover. i beleive

you have both WAN going into each Pfsense box and using CARP provides your failover and multi-WAN access.

https://forum.pfsense.org/index.php?topic=28121.0
 

firedrow

Limp Gawd
Joined
Oct 11, 2013
Messages
161
yes and no, not with some fun routing rules, your sites will only respond out on the gateway that traffic came in on. You could set up your 2nd PFsense with a static LAN ip, no DHCP and your internetl LAN IP's but unless the gateway is the same for your servers, you wont be able to access anything like RDC via the 7* pfsense. You could use VPN but now you need to do some pain in the butt routing rules i beleive for traffic to respond back via your 7* IP pfsense.

what you need to be looking at is dual WAN configuration using a single box with CARP for failover. i beleive

you have both WAN going into each Pfsense box and using CARP provides your failover and multi-WAN access.

https://forum.pfsense.org/index.php?topic=28121.0

+1 on this AND setup DNS Fail-Over for your secondary WAN. We use DNSMadeEasy, if our main IP quits responding we have a list of secondary IPs that become active for our DNS names within 120 seconds. It works great, our MSP clients don't see the disconnect and reconnect (we don't do Terminal Services or time sensitive connections, only hosted exchange and remote monitoring).
 

TType85

[H]ard|Gawd
Joined
Jul 8, 2001
Messages
1,492
I am trying to envision how to do the dual WAN/CARP setup and maybe I need to go a different route. I am going to have to dig through the PFSesne site more.

Hardware in the primary DC:
Supermicro Atom based PFSense Box
HP DL160G6 ESXi server
Enhance Tech SAN
Cisco 3750G
HP 8 port gig switch (used to convert the fiber drop to copper)
14 total Windows VM's + vSphere, Replication and Data Protection VM's

Hardware in the DR DC:
Supermicro 2u ESXi AIO with an extra 2 port NIC (3 total).
  • One of the ports from the DR goes to the datacenter interconnect.
  • The other 2 ports are used for the outside connection (redundant)

I am using vSphere replication to replicate all machines from the primary DC to the DR DC. The goal is to be able to bring the systems back up if something happens to the primary DC within 24-48h. The problems are we have near zero budget. I think I am going to have to kick this around in my lab to get it working.
 

firedrow

Limp Gawd
Joined
Oct 11, 2013
Messages
161
Ok, maybe we went about this wrong, but re-reading this again you don't need CARP unless you are setting up a High-Availability pfSense environment. Sounds like you need to look at DNS Failover mostly. If your ESXi VMs are being copied offsite to the Disaster Recovery NOC (DR/NOC), it sounds like your only real concern is getting traffic moved to the DR/NOC. Then DNS can take care of this for you.

So I'm going to assume the DC Inter-connect is taking care of the connection between primary and secondary sites. At the DR/NOC, verify backups of the VMs are showing up and being seen by the DR ESXi install. If they aren't, fix this first. If they are, now you just need to re-direct VPNs and internet traffic to this site. Make sure your pfSense at the DR/NOC has the same NAT/port forwarding setups but with the 72.xxx.xxx.xxx address. I would suggest setting your VPNs to point to FQDN instead of IP, then you can just alter your DNS Zone manually or use something like DNS Made Easy to automatically failover to your secondary site after a set amount of time.

Now VPNs will move and web traffic will move based on where DNS is pointed.
 
Top