[talk] Who's built redundant pfsense setups?

[Sevan / Venture37]

On 5 December 2014 at 14:36, Justin Sherrill <justin at shiningsilence.com> wrote:
> On Thu, Dec 4, 2014 at 2:34 PM, Sevan / Venture37 <venture37 at gmail.com> wrote:
>>So I'd say buy a switch which actually supports STP/RSTP (not "loop protection" as per
>> budget HP grear) & allows the configuration & VLAN's. that should be sufficient.
>
> I have a pair of Netgate C2758 units, a 10m link through Time Warner,
> and a 3m link through Windstream, and a single switch that acts as the
> gateway for the company.  Looking at the docs, and going by what you
> said, it appears I need:
>
> 2 switches talking STP
> 2 ports on each pfsense device to reach those two switches
> 1 port on each pfsense device to talk to each other, for pfsync.
> 1 port on each pfsense device to talk to the inside of the network.
>
> I suppose I could eliminate that internal switch as the gateway for
> the internal network, and point at the virtual IP for the pfsense
> devices instead, to reduce complexity.

you can share a switch & only utilise a single physical port per
firewall per side (1 for external, 1 for internal).
each WAN connection connects to a port on the same switch but each
port is in a different VLAN.
both those VLAN's are tagged on the port each firewalls physical
interface is connected to.
On the firewalls use vlan(4) interfaces to talk on each WAN connection.

Keywords: router on stick, trunk ports / tagged vlans.
You could resort to only tagging one VLAN & making the other VLAN
untagged per interface but it's better to have them both as tagged as
it's cleaner & makes it easier to move things round later.



Sevan / Venture37