Adding OVH fail-over IPs to our pfSense 2.X configuration

This setup is only valid for pfSense 2.0 configuration using routing instead of NAT like explained in this post. A version for pfSense 1.2.X can be found here.

IP Fail-over

Fail-over IPs are IPs that you can assign to any host servers you have with OVH. When the host fails, assign the IP to another one running the same service and OVH will route traffic up to this new host. This is your job to make your host and the firewall in front of it (if any) handle this extra IP. This help to guarantee continuity of service !

First remember the network schema I use for testing. I want to add the fail-over IP to my WEB server running on

network schema

I have 3 possibilities :

1 on 1 NAT

First, I create an IP Alias for on the WAN side to allow the firewall to reply to ARP requests on this side:

IP Alias

Then I create a 1 on 1 rule to forward traffic up to IP

1 on 1

Now I have to update my filter rules to let traffic for this new address pass trough. I have two ways :

  • I can duplicate each entries about in OPT1 and WAN panels and replace the by in the new entries.
  • Or, my favorite one, use host aliases !

Using aliases

I create a webserver host alias and assign it both addresses : and

new host alias

Then I use the name webserver instead of IP in all my firewall rules :

update firewall rules

Because this is NAT, you don't need to assign IP to your host.

Port forwarding

I don't detail to much this solution, for short:

  • Create an IP Alias for on the WAN side (like in 1on1 above)
  • Create a port forwarding rules to NAT HTTP traffic to on the WAN side up to
  • Be sure the NAT rules has also created the associated filter rule for HTTP traffic.
  • If you need to access host through IP from your LAN or DMZ, you need to enable NAT reflection at bottom of the NAT rule.

If you need more ports forwarding then add more NAT rules. Because this is NAT, you don't need to assign IP to your host. You can even forward different ports up to different host inside your DMZ.


I like routing but not this time ! This was my first choice for version 1.2.X, but the setting is a little more tricky this time because of changes in the routing interface ! . Use it only if you need routing instead.

I have to add a route that bring packets for on the WAN side to on the DMZ side. One operation was required using 1.2.X, pfSense 2.0 require 3 ! First add a Proxy Arp entry to reply to ARP request for on the WAN side :

Proxy ARP

Second, add to the gateway list.


And last, setup the route for host :


Now I have to update filter rules to let traffic for this new address pass trough. Look at 1 on 1 above to see how I do.

Finally don't forget to assign IP to your host.

Routing drawback

The server has 2 IPs. To answer to requests from outside, it will use the same source address as the destination address in the original request. This is fine ! But to open new connections it will choose the IP depending the outgoing route. And because the default gateway is, it will use This is not very nice. Some applications accept to force the source IP, but not all. Using source NAT would make the use of, useless because replies would always come even if destination was and remote source would not understand why it get reply from instead of Then choose 1 on 1 instead !

That's it


Merci pour ce tutorial.
Comment obtenir l'interface graphique de pfsense dans votre tutorial? quel port?
que faut-il installer et comment y accéder sans WAN et la configuration VM propre à OVH?

comment effectuer cette partie sous pfsense 2.0 pour une VM (1 ip, 1ip failover et 1@mac)?

auto eth0
iface eth0 inet static
address # adresse Failover pour le serveur virtuel
post-up /sbin/ip route add IP-principale.du.Serveur.254 dev eth0 # la gateway du serveur
post-up /sbin/ip route add default via IP-principale.du.Serveur.254

aspineux's picture

I'm creating a virtual LAN on the ESXi server.
I install one VM with a web browser and connect the VM to this LAN. This can be a Windows, or a Linux, or even faster, a live distribution that is able to run from the ISO without any installation.
I connect the pfSense to this virtual LAN and I manage it from the freshly installed VM.
I'm using the VMware console to remotely manage the Linux or Windows VM and start the web browser to setup the FW.

I don't understand the second part of the question. The debian/ubuntu network setup looks fine. I have not tested it but use an identical setup for fedora/centos
==== /etc/sysconfig/network-scripts/ifcfg-eth0

=== /etc/sysconfig/network-scripts/route-eth0 ===
# first define a route for the gw
X.X.X.254/32 dev eth0
# then define the default gw using a uncommon way via

Add new comment