Dual DNS / DHCP / Firewall with only 1 WAN

[paulrbeers]

Current setup using a Unifi Security Gateway that acts as my DNS and DHCP server.   I have several VLAN's that all are dependent upon my USG.   Recently I made an update and something failed to update and it went down (hard).   This took my entire network since no DNS and DHCP server was available.  The problem then was I couldn't redo the USG because my controller was on one of the VM's on my VM Cluster.   Seriously, I have Proxmox HA setup on my VM servers, I have a Gluster supporting those as well as redundant networking.   The only thing I couldn't lose with my USG.   Murphy's law right?

Anyhoo.   Truthfully I don't care as much about HA when it comes to internet.  If I lost my Master OpnSense box, if all I had to do was pull the WAN Ethernet and plug it into the Slave, and we were back up and running for Internet, no big deal.    BUT I need internal routing to continue.   No matter what.   

So what I want:

Network Switches w/ VLANs-> Opnsense Master -> Wan (Cable modem w/ DHCP)
Network Switches w/ VLANs- - > Opnsense Slave ->  No Wan

Yes both boxes will have 3 Ethernet ports so I can do a Sync connection between them, but (short of putting another router between my modem and Opnsense which brings me back to a single point of failure), I don't know if I can do what I want to do?  And I get that HA isn't probably used in a setup like mine.