15 Nov

pfSense firewall in High Availability mode (cluster)

Overview of a pfSense-CARP setup

You need one real IP address for every CARP cluster host. So, if you want to have 2 cluster members, you will need 2 IP addresses for the real interfaces and then an IP for each virtual IP address. So in this case it would amount to 3. In the example shown to the right, the primary CARP clusters WAN IP address is and the backup firewalls WAN IP address is The primary clusters LAN IP address is and the backup firewall’s LAN IP address is

Setting up dedicated pfsync interface

We strongly advise using a dedicated interface for pfsync.

Set up each cluster sync interface, give it an IP address in the same subnet. Example: on the master cluster member enter and on the backup cluster member enter for the IP address. Use a /24 subnet.

Enable pfSync

Enable pfSync in Firewall -> Virtual IPs -> CARP settings -> Synchronize Enabled (check it) on all cluster members.
-> Synchronize Virtual IPs [ X ]
-> Synchronize to IP [ insert Slave IP ONLY on Master! ]
-> Remote System Password [ do not forget! ]

Select the dedicated Sync interface with the Synchronize Interface dropdown on all cluster members.

Afterward visit Firewall -> Rules and add an allow all from any to any rule on each cluster member for the newly created pfsync interface.

Adding CARP shared virtual IP addresses

Now on the master cluster member add a virtual IP addresses of the CARP type in Firewall -> Virtual IPs. Make sure that the virtual IP addresses fall within the same subnet of an IP address defined on real interface (WAN, LAN, OPT1, etc.). You need to dedicate a unique VHID per shared virtual IP address. The lowest skew states that the host should be a master. The XMLRPC process will automatically add +100 to each host while syncing. So we recommend setting the skew to 0 on the master hosts CARP virtual IPs. pfSense will handle the rest.

Preparing for XMLRPC Sync

Now set the same Admin password and protocol for the webConfigurator (HTTP/HTTPS) on each cluster member

On the master cluster member, visit Firewall -> Virtual IPs -> CARP Settings and enter the 2nd cluster members sync ip address (earlier in example was Afterwards, enable all sections you want to sync (Synchronize rules, Synchronize aliases, Synchronize nat, ..*). This will automatically push configurations from the master cluster member to the backups. Click save. You should see the virtual ip addresses automatically synchronized to the backup hosts

Setting up advanced outbound NAT

Enable advanced outbound NAT in Firewall -> NAT -> Outbound -> Enable advanced outbound NAT. Click save.

Edit the automatically added rule for LAN. Pick a shared CARP virtual IP address as the Translation IP address. Give the item a description and click Save.

Setting DHCP Server to use CARP LAN IP Address

On both firewalls, visit Services -> DHCP Server. Click on the LAN tab. Set the default gateway to Click save.

It also may be a good idea to enable failover DHCP. Enter in the failover peep box on the primary and on the backup server. Click save.

Checking that XMLRPC sync worked

Visit the backup cluster member and verify that NAT, Virtual IP’s and rules have been synchronized correctly.

Finally on the backup host, visit Firewall -> Virtual IPs -> CARP settings -> and enable “Synchronize Enabled” and make sure that your pfSync interface is correct. Click save.

You should read the hardware redundancy chapter in the pfSense book before configuring CARP.

From the Tutorials page:

  • Building a fully redundant Cluster with 2 pfSense-systems between WAN/LAN with CARP & pfsync / pfSense CARP & pfsync failover-simulation


I have many pfSense Firewall appliances in my shop, which you can buy.

That’s it! Enjoy your failover firewall solution.

Leave a Reply

Your email address will not be published.