# PF failover w/ CARP for such setup, possible? Alternatives?



## ronjns (Nov 2, 2013)

Been running 9.1-RELEASE box as a gateway and private subnets router, firewall/ NAT/ VPN server on Intel hardwares, couldn't be happier with the performance and most encouraging of all the vibrant Ports collection will allow me to add network service(s) as new need arises.

Current setup diagram:






Few days ago my only ISP went kaput -disastrous since I work out of my SOHO- so I thought it's time to get a redundant link from another ISP. So I googled and googled (both forums of FreeBSD and pfSense which of course is based on FreeBSD) before committing to new hardwares and service contract. The result has been mixed for the kind of ideal setup I'd like to have:






I wish I had the luxury to experiment with new hardwares and another commitment from different ISP, unfortunately things are a little tight at the moment hence here I seek help from experts in the FreeBSD community if CARP will provide the redundancy I'm looking for or there's something I have to do differently to achieve Internet redundancy with my setup.

From googling, I gathered the followings are the challenges/ unknowns for getting PF's CARP running for my setup:
1. Running PPPoE with a one assigned dynamic WAN IP address for each FreeBSD box each from different ISP. How does CARP handle this?
2. I'm running two different private subnets behind the FreeBSD box
3. Avahi is configured wide area, how will it work with CARP in the picture

I'm not quite concerned with free dynamic DNS hostname, don't mind to have 2 different hostname for each FreeBSD box with different ISP.

Many thanks for your help.


----------



## ronjns (Nov 6, 2013)

Nobody?


----------



## Oko (Nov 7, 2013)

I think that you have to do little bit reading about CARP. The good starting point is
http://www.openbsd.org/faq/pf/carp.html

You are not specifying which which version of VPN you are using but I am a bit familiar with OpenVPN. No CARP can not
help you with OpenVPN since OpenVPN is client centric in that respect. If the first OpenVPN server fails the connection will have to be reestablish. The secondary OpenVPN server will have to be specified on the client side.


----------

