I’d like to setup two routers to be able to failover. My question is about the Red/WAN interface. The shared (virtual) address is a static IP so the individual routers can’t have an address on the same subnet as the shared address. Can this work if the boxes have a private IP range 10.x.x.x but the shared address is public?
The usual setup is to use three IP addresses. Technically they don’t have to be from the same subnet, but they usually are to ensure that each of the firewalls is still able to have internet access, even if it is not holding the primary IP address.
Thank you for the feedback. I got a similar setup working with OpenBSD but we had three static IP addresses. Having the slave machine locked out of the internet isn’t ideal but I’m trying to avoid having to get more static IP.
I’d have to ask my ISP if multiple dynamic IP are a choice.
My goal was to have a redundant setup so if one router dies then the network can continue to function. It’s not an absolute requirement, more of a cost/benefit tradeoff. Having a cold spare might be a more practical solution. Being out for several days while I got a new router going was too much down time so I got a second box.
Its a little odd for routers to go out. I would definitely review your installation and select things appropriate for extreme environments.
cold or warm spare would be easier to implement and not as a security risk as hot spare with active software.
Warm spare is done out of band normally with relay control, but since the hardware wouldn’t be present to do this at the installation, you would wire the redundant in and manually unplug the malfunctioning router and plug in the spare. What you end up at a warm spare setup is an unmanaged switch for the WAN interfaces and one for each of the LAN networks (green,blue,orange if using ipfire on both).