Multi-WAN with HA

HA can also be deployed for firewall redundancy in a multi-WAN configuration. This section details the VIP and NAT configuration needed for a dual WAN HA deployment. This section only covers topics specific to HA and multi-WAN.

Determine IP Address Assignments

For this example, four IP addresses will be used on each WAN. Each firewall needs an IP address, plus one CARP VIP for Outbound NAT, plus an additional CARP VIP for a 1:1 NAT entry that will be used for an internal mail server in the DMZ segment.

WAN and WAN2 IP Addressing

Table WAN IP Addressing show the IP addressing for both WANs. In most environments these will be public IP addresses.

WAN IP Addressing
IP Address Usage
198.51.100.200 Shared CARP VIP for Outbound NAT
198.51.100.201 Primary firewall WAN
198.51.100.202 Secondary firewall WAN
198.51.100.203 Shared CARP VIP for 1:1 NAT
WAN2 IP Addressing
IP Address Usage
203.0.113.10 Shared CARP VIP for Outbound NAT
203.0.113.11 Primary firewall WAN2
203.0.113.12 Secondary firewall WAN2
203.0.113.13 Shared CARP VIP for 1:1 NAT

LAN Addressing

The LAN subnet is 192.168.1.0/24. For this example, the LAN IP addresses will be assigned as follows.

LAN IP Address Assignments
IP Address Usage
192.168.1.1 CARP shared LAN VIP
192.168.1.2 Primary firewall LAN
192.168.1.3 Secondary firewall LAN

DMZ Addressing

The DMZ subnet is 192.168.2.0/24. For this example, the DMZ IP addresses will be assigned as follows in Table DMZ IP Address Assignments.

DMZ IP Address Assignments
IP Address Usage
192.168.2.1 CARP shared DMZ VIP
192.168.2.2 Primary firewall DMZ
192.168.2.3 Secondary firewall DMZ

pfsync Addressing

There will be no shared CARP VIP on this interface because there is no need for one. These IP addresses are used only for communication between the firewalls. For this example, 172.16.1.0/24 will be used as the Sync subnet. Only two IP addresses will be used, but a /24 is used to be consistent with the other internal interfaces. For the last octet of the IP addresses, the same last octet as that firewall’s LAN IP is chosen for consistency.

Sync IP Address Assignments
IP Address Usage
172.16.1.2 Primary firewall Sync
172.16.1.3 Secondary firewall Sync

NAT Configuration

The NAT configuration when using HA with Multi-WAN is the same as HA with a single WAN. Ensure that only CARP VIPs are used for inbound traffic or routing. See Network Address Translation for more information on NAT configuration.

Firewall Configuration

With Multi-WAN a firewall rule must be in place to pass traffic to local networks using the default gateway. Otherwise, when traffic attempts to reach the CARP address or from LAN to DMZ it will instead go out a WAN connection.

A rule must be added at the top of the firewall rules for all internal interfaces which will direct traffic for all local networks to the default gateway. The important part is the gateway needs to be default for this rule and not one of the failover or load balance gateway groups. The destination for this rule would be the local LAN network, or an alias containing any locally reachable networks.

Multi-WAN HA with DMZ Diagram

Due to the additional WAN and DMZ elements, a diagram of this layout is much more complex as can be seen in Figure Diagram of Multi-WAN HA with DMZ.

../_images/diagrams-example-multi-wan-carp.png

Diagram of Multi-WAN HA with DMZ