Firewall or other solution for automatic fail-over to a second server?

Solution 1:

You have a few options:

  • Establish a "floating" ip address and a mechanism for moving it from one host to another in the event of a failure. This sort of feature is provided by "high availbility" solutions such as the Linux HA project and Pacemaker.

    This solution requires no extra hardware.

  • Put a load-balancing proxy in front of the two servers. This is a system that accepts connections from clients and then passes them on to the backend server. Typically, a proxy can be configured to either balance the load between the two or two treat one as a failover target (to be used only if the primary system fails). You have lots of options in this category:

    • Apache includes a load balancer; see the mod_proxy_balancer documentation.
    • Pound is a simply-to-configure and flexible HTTP/HTTPS proxy.
    • Balance is a simple TCP proxy (which means it will work for protocols other than HTTP).

    And there are many, many others. In general, most software that can act as a reverse HTTP proxy (Squid, nginx, varnish, etc) can do this sort active/passive web cluster.

  • The Linux Virtual Server Project provides a kernel-level load balancing solution.

Something in this list should help you out or at least get you headed in the right direction.

You asked specifically about pfSense. From the pfSense web site:

Limitations

  • Equally distributes load between all available servers - unable to unequally distribute load between servers at this time.
  • Only checks if the server responds to pings or TCP port connections. Cannot check if the server is returning valid content.

So unless the docs are out of date pfSense will not do what you want.