Overview of a pfSense-CARP setup
You need one real IP address for every CARP cluster host. So, if you want to have 2 cluster members, you will need 2 IP addresses for the real interfaces and then an IP for each virtual IP address. So in this case it would amount to 3. In the example shown to the right, the primary CARP clusters WAN IP address is 127.29.29.1 and the backup firewalls WAN IP address is 127.29.29.2. The primary clusters LAN IP address is 192.168.1.2 and the backup firewall’s LAN IP address is 192.168.1.3.
Setting up dedicated pfsync interface
We strongly advise using a dedicated interface for pfsync.
Set up each cluster sync interface, give it an IP address in the same subnet. Example: on the master cluster member enter 192.168.4.1 and on the backup cluster member enter 192.168.4.2 for the IP address. Use a /24 subnet.
Enable pfSync in Firewall -> Virtual IPs -> CARP settings -> Synchronize Enabled (check it) on all cluster members.
-> Synchronize Virtual IPs [ X ]
-> Synchronize to IP [ insert Slave IP ONLY on Master! ]
-> Remote System Password [ do not forget! ]
Select the dedicated Sync interface with the Synchronize Interface dropdown on all cluster members.
Afterward visit Firewall -> Rules and add an allow all from any to any rule on each cluster member for the newly created pfsync interface.
Adding CARP shared virtual IP addresses
Now on the master cluster member add a virtual IP addresses of the CARP type in Firewall -> Virtual IPs. Make sure that the virtual IP addresses fall within the same subnet of an IP address defined on real interface (WAN, LAN, OPT1, etc.). You need to dedicate a unique VHID per shared virtual IP address. The lowest skew states that the host should be a master. The XMLRPC process will automatically add +100 to each host while syncing. So we recommend setting the skew to 0 on the master hosts CARP virtual IPs. pfSense will handle the rest.
Preparing for XMLRPC Sync
Now set the same Admin password and protocol for the webConfigurator (HTTP/HTTPS) on each cluster member
On the master cluster member, visit Firewall -> Virtual IPs -> CARP Settings and enter the 2nd cluster members sync ip address (earlier in example was 192.168.4.2). Afterwards, enable all sections you want to sync (Synchronize rules, Synchronize aliases, Synchronize nat, ..*). This will automatically push configurations from the master cluster member to the backups. Click save. You should see the virtual ip addresses automatically synchronized to the backup hosts
Setting up advanced outbound NAT
Enable advanced outbound NAT in Firewall -> NAT -> Outbound -> Enable advanced outbound NAT. Click save.
Edit the automatically added rule for LAN. Pick a shared CARP virtual IP address as the Translation IP address. Give the item a description and click Save.
Setting DHCP Server to use CARP LAN IP Address
On both firewalls, visit Services -> DHCP Server. Click on the LAN tab. Set the default gateway to 192.168.1.3. Click save.
It also may be a good idea to enable failover DHCP. Enter 192.168.1.2 in the failover peep box on the primary and 192.168.1.1 on the backup server. Click save.
Checking that XMLRPC sync worked
Visit the backup cluster member and verify that NAT, Virtual IP’s and rules have been synchronized correctly.
Finally on the backup host, visit Firewall -> Virtual IPs -> CARP settings -> and enable “Synchronize Enabled” and make sure that your pfSync interface is correct. Click save.
You should read the hardware redundancy chapter in the pfSense book before configuring CARP.
From the Tutorials page:
- Building a fully redundant Cluster with 2 pfSense-systems between WAN/LAN with CARP & pfsync / pfSense CARP & pfsync failover-simulation
I have many pfSense Firewall appliances in my shop, which you can buy.
That’s it! Enjoy your failover firewall solution.