So you add 2 more switches to protect against failure of Firewall or connection to/from either, but, failure of either little switch equals collapse of it all anyway? :)
If you used a managed switch that supported enhance spanning tree features such as spanning-tree port fast or edge, then you wouldn't have the 30+ second wait time as spanning tree works through, its listening, learning, and then forwarding modes. It would just jump to forwarding and figure if there was a loop in the background. Also, while I get the point that there is no NEED for a managed / fancy switch on the WAN side in this video as it doesn't need a fancy configuration work to be done, I would put a switch with 2 power supplies and match the power inputs to the HA pair of Netgates. IMO, there is no real point of purchasing redundant firewalls and then have a $30 single point of failure at the top of the food chain.
I completely agree, this was just a demonstration when we install something in the data center it has redundant managed switches as well as redundant firewalls.
@@LAWRENCESYSTEMS Agreed. Looking back at the comment I didn't quite say what I wanted too. I knew it was for video purposes and I got that. However I've seen a lot of super fancy configurations in an enterprise enviornment and then find that it all depends on some bumb $75 media converter with a $9 wallwort power supply. It just makes me shake my head in disbelief...
I think in a real world scenario you wouldn’t even need a switch if you had 2 WAN connections from the ISP, correct? This would also further enhance the redundancy plan for the Network
I watched your other video and this one, for HA I get you need 3wan ip that's not possible for me. So here's my question, I have pfsense running on unRAID and I want to just sync it to a small fanless PC that I used to run pfsense on, I just want to keep the settings in sync so if my host dies I can quickly swap. Is it possible to ONLY use a sync cat6cable between them and then a lan IP for mgmt access, without interfering with anything ? I don't need HA but more like a hot manual standby that I can swap the wan cable between If needed. I know this video is 2 years old but I appreciate any assistance.
Great video as usual. Can you do a video about the next most important thing in a fail over event? Notification (email alert "Hey something's wrong!"). Also how about email alerts when someone logs on to pfSense? I think there is a pfSense package (daily notification - log parsing) for this but it'd be great to have a video tutorial. Thanks again!
Hi lawrence very very great video. May i ask 1 question ? Is it possible in pfsense if we unplgu netgate primary lan interface, the secondary netgate not only will take over the lan master carp but also wan master carp? Because If netgate primary lan interface down, the netgate secondary lan inteface will take over the carp master, but if the netgate secondary wan interface still in backup carp mode, the internet traffict will not pass because of asymetric routing. So in that case i think when netgate primary inside interface down, netgate secondary inside and outside interface should take the master, not only netgate secondary inside interface take the master.
Hey great video. Quick question, could this be setup if the netgates were located in different rooms of your building? The only issue that i can see would be the sync port.
BTW is does miss a beat. 3 ping drops both failing over and back as shown by the sequence number jumps. Not saying it would be an issue, but technically not 100% seemless failover. I use pfSense all the time and it is great :-)
You'll want to look at the multi-WAN section of the documentation for instructions on how you can set up multiple connections. You might, for example, have a primary WAN connection with one ISP, a secondary WAN connection with another ISP, and even something like a 4G mobile data link as an emergency fail-over (although you'll want to do some traffic shaping and rules.) EDIT: I think I misunderstood your question. Sorry about that.
Can you do a tutorial on how to run multiple openvpn clients on a pfsense server. For instance, a expressvpn service for one subnet of devices and a nord service for another subnet set of devices.
I do this for my WindScribe VPN service. I have it connected to different servers based on region, and use firewall rules to direct clients to specific ones (Gateways) depending on their IP. I do it based on device, but you could easily do it based on Subnet or other various firewall rules. In short you can do the following: - Setup each OpenVPN client and make sure it's established and has a gateway available. - Create firewall rules based on Source for your subnet. If you want all Internet traffic to go through a specific VPN server make the destination and ports *, and under advanced settings choose the gateway associated with the VPN service you'd like to send that traffic out. Note: Make sure that if you want the devices in the different subnets/VLANs to be able to communicate internally that you create specific rules BEFORE your VPN rule and have them use their respective gateway. I just signed up on the forums. If you'd like you can PM me there (if it's possible) @ itsmikeboyd
I'm confused.... Wouldn't you still have that one ISP switch as a single point of failure? If the switch that passes off the ISP connection to the routers dies, aren't you still going to be without a WAN connection? To completely eliminate SPOF, wouldn't you need a second stacked switch to handle the ISP connections?
This looks like it is doing HA with emulating a single ISP. Would I be correct in thinking that the backup device could be on a second provider without any significant config changes?
Correct, this same setup can be used with multiple providers. This is also the reason people us the XG-7100 for that use case due to it having more ports.
FOr HA do the pfSense boxes have to be identical? Was thinking of adding HA to the higher end box that you helped me configure, using a 3100 as the secondary maybe?
Sorry to be offtopic but does someone know of a way to get back into an instagram account..? I was stupid lost my login password. I love any help you can offer me!
@Kylen Junior i really appreciate your reply. I found the site on google and im waiting for the hacking stuff atm. Looks like it's gonna take a while so I will get back to you later when my account password hopefully is recovered.
@@LAWRENCESYSTEMS I played around with this about a year ago and discovered that the IPSec SA doesn't get synced (need something like sasyncd for this). So the IPSec connections has to be recreated if the master fails.
@@LAWRENCESYSTEMS Will try this on a test environment. Does wan fail over applied to this? We do have 2 ISP provider which is a lease/dedicated Internet line to the country internet back bone. So I want to to have a HA Failover with IPSec and WAN Failover configured.
So why ANY computer, as small at it can be, would not support HA??? It is simple software and the CARP traffic is not a lot!! Not supporting the cpu, memory or disk heavy tasks/packages is a whole different issue.
What do you failover to when your failovers failover fails to failover?
So you add 2 more switches to protect against failure of Firewall or connection to/from either, but, failure of either little switch equals collapse of it all anyway? :)
If you used a managed switch that supported enhance spanning tree features such as spanning-tree port fast or edge, then you wouldn't have the 30+ second wait time as spanning tree works through, its listening, learning, and then forwarding modes. It would just jump to forwarding and figure if there was a loop in the background.
Also, while I get the point that there is no NEED for a managed / fancy switch on the WAN side in this video as it doesn't need a fancy configuration work to be done, I would put a switch with 2 power supplies and match the power inputs to the HA pair of Netgates. IMO, there is no real point of purchasing redundant firewalls and then have a $30 single point of failure at the top of the food chain.
I completely agree, this was just a demonstration when we install something in the data center it has redundant managed switches as well as redundant firewalls.
@@LAWRENCESYSTEMS Agreed. Looking back at the comment I didn't quite say what I wanted too. I knew it was for video purposes and I got that. However I've seen a lot of super fancy configurations in an enterprise enviornment and then find that it all depends on some bumb $75 media converter with a $9 wallwort power supply. It just makes me shake my head in disbelief...
I think in a real world scenario you wouldn’t even need a switch if you had 2 WAN connections from the ISP, correct? This would also further enhance the redundancy plan for the Network
Wow so fast. That's awesome
is there any reason you cant do a lot of this when vlans?
Could you do a video on this same setup with redundant modems, or redundant ISPs
Nothing really different, just more IP addresses
I
know this is old video but how would you configure vlans in to this?
You can but don't need to.
What if you have one IP from ISP and need to port forward 80 and 443 to a nginx reverse proxy?
I don't understand the question.
I watched your other video and this one, for HA I get you need 3wan ip that's not possible for me. So here's my question, I have pfsense running on unRAID and I want to just sync it to a small fanless PC that I used to run pfsense on, I just want to keep the settings in sync so if my host dies I can quickly swap. Is it possible to ONLY use a sync cat6cable between them and then a lan IP for mgmt access, without interfering with anything ? I don't need HA but more like a hot manual standby that I can swap the wan cable between If needed.
I know this video is 2 years old but I appreciate any assistance.
It would be really challenging to have mismatched pfsense systems stay in sycn. It works best on matching hardware.
Great video as usual. Can you do a video about the next most important thing in a fail over event? Notification (email alert "Hey something's wrong!"). Also how about email alerts when someone logs on to pfSense? I think there is a pfSense package (daily notification - log parsing) for this but it'd be great to have a video tutorial. Thanks again!
Hi lawrence very very great video. May i ask 1 question ?
Is it possible in pfsense if we unplgu netgate primary lan interface, the secondary netgate not only will take over the lan master carp but also wan master carp?
Because If netgate primary lan interface down, the netgate secondary lan inteface will take over the carp master, but if the netgate secondary wan interface still in backup carp mode, the internet traffict will not pass because of asymetric routing. So in that case i think when netgate primary inside interface down, netgate secondary inside and outside interface should take the master, not only netgate secondary inside interface take the master.
Hi thanks for this video. I would have liked to see how it performed when you pull the power plug.
The same
great video ... Thank you!
Hey great video. Quick question, could this be setup if the netgates were located in different rooms of your building? The only issue that i can see would be the sync port.
If my ISP provider provides a modem with more than one ethernet connection, can I just plug both my pfSense directly to the modem?
Yes
What happens to the internet connection when it fails over? If you've only got one public IP?
Switches from your primary ISP to your backup ISP. Imagine unplugging a cable modem and plugging into a DSL modem or 4G service.
The CARP protocol requires at least 3 public IP addresses. Watch my full ha setup video for more complete answer.
BTW is does miss a beat. 3 ping drops both failing over and back as shown by the sequence number jumps. Not saying it would be an issue, but technically not 100% seemless failover. I use pfSense all the time and it is great :-)
You'll want to look at the multi-WAN section of the documentation for instructions on how you can set up multiple connections. You might, for example, have a primary WAN connection with one ISP, a secondary WAN connection with another ISP, and even something like a 4G mobile data link as an emergency fail-over (although you'll want to do some traffic shaping and rules.)
EDIT: I think I misunderstood your question. Sorry about that.
Can this be done with multiple ISP's for internet failover as well as switch failover?
Yes
Can you do a tutorial on how to run multiple openvpn clients on a pfsense server. For instance, a expressvpn service for one subnet of devices and a nord service for another subnet set of devices.
I do this for my WindScribe VPN service. I have it connected to different servers based on region, and use firewall rules to direct clients to specific ones (Gateways) depending on their IP. I do it based on device, but you could easily do it based on Subnet or other various firewall rules.
In short you can do the following:
- Setup each OpenVPN client and make sure it's established and has a gateway available.
- Create firewall rules based on Source for your subnet. If you want all Internet traffic to go through a specific VPN server make the destination and ports *, and under advanced settings choose the gateway associated with the VPN service you'd like to send that traffic out.
Note: Make sure that if you want the devices in the different subnets/VLANs to be able to communicate internally that you create specific rules BEFORE your VPN rule and have them use their respective gateway.
I just signed up on the forums. If you'd like you can PM me there (if it's possible) @ itsmikeboyd
@@xrekonx Doesn't seem too difficult wasn't sure if it was possible through the GUI. I'll give it a try this weekend thank you
I'm confused.... Wouldn't you still have that one ISP switch as a single point of failure? If the switch that passes off the ISP connection to the routers dies, aren't you still going to be without a WAN connection? To completely eliminate SPOF, wouldn't you need a second stacked switch to handle the ISP connections?
Even better would be to have two switches and two ISP's
This looks like it is doing HA with emulating a single ISP. Would I be correct in thinking that the backup device could be on a second provider without any significant config changes?
Correct, this same setup can be used with multiple providers. This is also the reason people us the XG-7100 for that use case due to it having more ports.
FOr HA do the pfSense boxes have to be identical? Was thinking of adding HA to the higher end box that you helped me configure, using a 3100 as the secondary maybe?
It is highly recommended they be identical for it to work seamlessly.
Matched hardware is highly preferred for HA. Same gear and firmware. That way syncs and responses are predictable.
Thanks for the great videos! One question, in this example would you have a suggestion for the edge switch (or similar) redundancy?
Sorry to be offtopic but does someone know of a way to get back into an instagram account..?
I was stupid lost my login password. I love any help you can offer me!
@Nathaniel Bode Instablaster :)
@Kylen Junior i really appreciate your reply. I found the site on google and im waiting for the hacking stuff atm.
Looks like it's gonna take a while so I will get back to you later when my account password hopefully is recovered.
@Kylen Junior it did the trick and I now got access to my account again. Im so happy:D
Thanks so much, you saved my account!
@Nathaniel Bode Glad I could help =)
Good video
Hi Tom, I'm waiting on your review of the reolink cams as well as the comparison of usg and pfsense. Do you have any schedule about these videos?
Nope, I do vidoes based on time i have between clients
How about setting a HA Failover with an IPSEC?
It works
@@LAWRENCESYSTEMS I played around with this about a year ago and discovered that the IPSec SA doesn't get synced (need something like sasyncd for this). So the IPSec connections has to be recreated if the master fails.
docs.netgate.com/pfsense/en/latest/highavailability/troubleshooting-vpn-connectivity-to-a-high-availability-secondary-node.html
@@LAWRENCESYSTEMS That sounds like the issue. Maybe I should try it out again :D
@@LAWRENCESYSTEMS Will try this on a test environment. Does wan fail over applied to this? We do have 2 ISP provider which is a lease/dedicated Internet line to the country internet back bone. So I want to to have a HA Failover with IPSec and WAN Failover configured.
Would anyone do this for a home? Doesn't seem it would be worth it, correct?
No, this was just to show how it works
The 1100 is really not a good model, bought one and have nothing but problems with it. I almost want to get another just to see if I got a bad one.
So why ANY computer, as small at it can be, would not support HA???
It is simple software and the CARP traffic is not a lot!!
Not supporting the cpu, memory or disk heavy tasks/packages is a whole different issue.
The Netgear switch, power supply, WAN and same physical location all make for a single point failure EACH. Good demo all the same.
More pointies of failure
I think the video is more to just show how nice pfsense works for HA appliances, of course a real HA setup would require to have everything redundant
Ponytail and stickers on the laptop. I can't watch this
Lol