0

behind an ISP router, I did setup a firewall that includes (DHCP server, Squid, ClamAV, Light Squid, Snort, Port Forwarding, and OpenVPN), linked to an ethernet switch.

3 PCs, VoIP server(static address) are connected to that switch, I duplicated my firewall and I added another ISP, assuming that if ISP-1 stops working somehow, I want my LAN to keep working through the other ISP.

I need some ideas on how to do redundancy in this topology. thanks for your time. topology

Mr.Robot
  • 53
  • 1
  • 2
  • 6
  • 1
    If I needed this, I would use a single failover router to feed everything else. That is the most common way I have seen 2 ISPs connected for fail over. What is the annual cost of the second ISP? If you were out for a whole day, is that worth the annual cost of the extra ISP. It has not been for me or for numerous customers. – John Apr 17 '23 at 23:52
  • @John your comment helped me, especially the "Failover" word, i didn't know about it but i started working on it the last couple of days, i basically added another wan port on my firewall, and i created a gateway group where the 2nd wan will take over when the packet loss of WAN1 (assigned as a main gateway) is 10% until it will back to work. i used Traceroute to test it and it worked, I'm also considering using an LTE Router as a backup paying only for the data I'll use. thanks sir. – Mr.Robot Apr 19 '23 at 23:17

1 Answers1

1

Preferably, set up both uplinks on a single pfSense instance. As far as I can remember, it already has built-in functionality to test for gateway liveness and to automatically switch to a different WAN gateway.

Alternatively, use CARP (FreeBSD's VRRP equivalent) to set up a "virtual" IP address between both pfSense instances (to be used by your LAN devices instead of the "real" one), and script something to make the 'IAM' instance withdraw that IP address whenever it loses Internet access; I think I faintly remember this being built-in functionality in pfSense. (You probaly don't need pfSync for firewall states, as all connections will be interrupted anyway when your external IP address changes.)

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966