pfSense

I am mainly using pfSense in a CARP+HAproxy scenario (with a WAN and a LAN interface), and have to face a little conundrum.

Default gateway is located on the WAN interface and used for the following purposes :

• Downloading updates and anything on the public Internet
• Providing front-facing service

I have another gateway on the LAN interface that could go on the Internet if I needed to.

Given HAproxy has a nasty knack for not coming back online after an update, and because CARP comes back before HAproxy is started, causing downtime,
I need to shutdown the WAN interface to force failover safely and cleanly, but if I do that I lose my default gateway.

Right now the acrobatic way is to wait for the reboot to be about to kick in, and to rush with doing the WAN port shutdown in time.

Needless to say, this is a bit suboptimal so I was wondering about alternatives :

1. Either define a route for the pfsense repositories?
2. Add the ability to create multiple route tables?
   • Have the default OS use the LAN gateway
   • Have HAproxy run in its own FIB and make it use the WAN gateway
3. Implement source routing so that anything coming from WAN gateway has to go back via WAN gateway, but use the LAN gateway as default?