pfSense firewall in High Availability mode (cluster)
Posted: November 15th, 2010 | Author: Erik | Filed under: Internet, Networking | Tags: alix, linux, load sharing, network security, Networking | 20 Comments »
Overview of a pfSense-CARP setup
You need one real IP address for every CARP cluster host. So, if you want to have 2 cluster members, you will need 2 IP addresses for the real interfaces and then an IP for each virtual IP address. So in this case it would amount to 3. In the example shown to the right, the primary CARP clusters WAN IP address is 127.29.29.1 and the backup firewalls WAN IP address is 127.29.29.2. The primary clusters LAN IP address is 192.168.1.2 and the backup firewall’s LAN IP address is 192.168.1.3.
Setting up dedicated pfsync interface
We strongly advise using a dedicated interface for pfsync.
Set up each cluster sync interface, give it an IP address in the same subnet. Example: on the master cluster member enter 192.168.4.1 and on the backup cluster member enter 192.168.4.2 for the IP address. Use a /24 subnet.
Enable pfSync
Enable pfSync in Firewall -> Virtual IPs -> CARP settings -> Synchronize Enabled (check it) on all cluster members.
-> Synchronize Virtual IPs [ X ]
-> Synchronize to IP [ insert Slave IP ONLY on Master! ]
-> Remote System Password [ do not forget! ]
Select the dedicated Sync interface with the Synchronize Interface dropdown on all cluster members.
Afterward visit Firewall -> Rules and add an allow all from any to any rule on each cluster member for the newly created pfsync interface.
Adding CARP shared virtual IP addresses
Now on the master cluster member add a virtual IP addresses of the CARP type in Firewall -> Virtual IPs. Make sure that the virtual IP addresses fall within the same subnet of an IP address defined on real interface (WAN, LAN, OPT1, etc.). You need to dedicate a unique VHID per shared virtual IP address. The lowest skew states that the host should be a master. The XMLRPC process will automatically add +100 to each host while syncing. So we recommend setting the skew to 0 on the master hosts CARP virtual IPs. pfSense will handle the rest.
Preparing for XMLRPC Sync
Now set the same Admin password and protocol for the webConfigurator (HTTP/HTTPS) on each cluster member
On the master cluster member, visit Firewall -> Virtual IPs -> CARP Settings and enter the 2nd cluster members sync ip address (earlier in example was 192.168.4.2). Afterwards, enable all sections you want to sync (Synchronize rules, Synchronize aliases, Synchronize nat, ..*). This will automatically push configurations from the master cluster member to the backups. Click save. You should see the virtual ip addresses automatically synchronized to the backup hosts
Setting up advanced outbound NAT
Enable advanced outbound NAT in Firewall -> NAT -> Outbound -> Enable advanced outbound NAT. Click save.
Edit the automatically added rule for LAN. Pick a shared CARP virtual IP address as the Translation IP address. Give the item a description and click Save.
Setting DHCP Server to use CARP LAN IP Address
On both firewalls, visit Services -> DHCP Server. Click on the LAN tab. Set the default gateway to 192.168.1.3. Click save.
It also may be a good idea to enable failover DHCP. Enter 192.168.1.2 in the failover peep box on the primary and 192.168.1.1 on the backup server. Click save.
Checking that XMLRPC sync worked
Visit the backup cluster member and verify that NAT, Virtual IP’s and rules have been synchronized correctly.
Finally on the backup host, visit Firewall -> Virtual IPs -> CARP settings -> and enable “Synchronize Enabled” and make sure that your pfSync interface is correct. Click save.
You should read the hardware redundancy chapter in the pfSense book before configuring CARP.
From the Tutorials page:
- Building a fully redundant Cluster with 2 pfSense-systems between WAN/LAN with CARP & pfsync / pfSense CARP & pfsync failover-simulation
http://www.pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm
I have many pfSense Firewall appliances in my shop, which you can buy.
That’s it! Enjoy your failover firewall solution.
[...] [...]
via status and interfaces
Valuable info. Lucky me I found your site by accident, I bookmarked it.
I’ve recently started a blog, the information you provide on this site has helped me tremendously. Thank you for all of your time & work.
[...] pfSense 2G High Performance Firewall, Router & Traffic Shaper Pri oboch produktoch je možné High Availability riešenie, kde su v prevádzke zapojené 2ks firewallov a v prípade výpadku jedného z firewallov [...]
Great information! I’ve been looking for something like this for a while now. Thanks!
Keep posting stuff like this i really like it
So if you want to have 2 cluster members you will need 2 IP addresses for the real interfaces and then an IP for each virtual IP address. In the example shown to the right the primary CARP clusters WAN IP address is 127. Set up each cluster sync interface give it an IP address in the same subnet.
@Monex, no. You need 2 IP each for real interface and 1 virtual IP. This virtual IP is shared between cluster nodes. In this example:
primary firewall real IP is 127.29.29.1/24
backup firewall real IP is 127.29.29.2/24
virtual IP (shared) is 127.29.29.3/24
Thanks for an idea, you sparked at thought from a angle I hadn’t given thoguht to yet. Now lets see if I can do something with it.
@medical billing, it’s very useful solution, when you need stable service.
Thanks for the great post. Bookmarked
Thank you, I have recently been searching for information about this topic for ages and yours is the best I have discovered so far.
Finally, an issue that I am passionate about. I have looked for information of this caliber for the last several hours. Your site is greatly appreciated.
I think one of your advertisements caused my internet browser to resize, you might want to put that on your blacklist.
[...] viete nasadiť aj do veľkých riešení, čoho dôkazom je aj možné high availability riešenie (pfSense firewall in High Availability mode, cluster). Vo väčších riešeniach sú samozrejme aj iné menežovatelné sieťové zariadenia (routers, [...]
Really love your post.
Our test sets will help you test and improve your knowledge and skills and pass the EPSO competition to receive thedreamt EU career. Don’t waver and try our unpaidsample today!
Furnishing concepts for making your home interior. News and fashion trends from the world latest shows.
Our company has a high proficiency in the manifacturing of high grade details, welded design and metal parts made of rust-proof steel and black steel with diverse thickness.