This document provides instructions for configuring high availability between two pfSense firewalls using CARP synchronization. The key steps are:
1. Create firewall rules on each firewall to allow communication on the SYNC interface.
2. Configure the backup firewall for CARP synchronization to the SYNC interface only.
3. Configure the primary firewall for CARP synchronization of rules, NAT, and virtual IPs to the backup firewall's SYNC IP.
4. Create virtual IP addresses for the WAN and LAN interfaces that both firewalls will share and take over if the primary fails.
1. Network Configuration:
PFSENSE1_PRIMARY PFSENSE2_BACKUP
WAN IP: 192.168.168.110 WAN IP: 192.168.168.111
SYNC IP: 172.16.0.1 SYNC IP: 172.16.0.2
LAN IP: 10.1.0.1 LAN IP: 10.1.0.2
The 2 IP addresses below will be shared between the firewalls.
WAN Virtual IP: 192.168.168.254
LAN Virtual IP: 10.1.0.254
Building The Cluster
The first thing you have to configure is a firewall rule on the both boxes to allow the firewalls to
communicate with each other on the SYNC cards.
To do that click on "Firewall | Rules", click on the "SYNC" interface, click on the "Plus" button
to add a new firewall rule entry, set "Protocol" to "any", add a description so you can identify
what the rule does, then click on "Save", and then click "Apply Changes" if necessary.
2. Remain on the backup firewall, here we have to configure CARP synchronization and configure
it to be a backup only, click on "Firewall | Vitrual IPs", then click on "CARP Settings", tick the
"Synchronize Enabled" checkbox, and select the "Synchronize Interface to SYNC", then save the
changes.
We have now finished configuring the backup firewall; now we have to go and configure CARP
sync on the primary firewall.
Log back into your primary firewall, click on "Firewall | Virtual IPs", click on the "CARP
Settings" tab, tick the "Synchronize Enabled" box, select "SYNC" as your default synchronize
interface, and place checks in the following boxes: "Synchronize Rules", "Synchronize NAT",
"Synchronize Virtual IPs".
Then place the backup firewall's SYNC IP address in the "Synchronize to IP" box, and set the
"Remote System Password" for the backup firewall as well.
3. Save changes, apply changes if necessary.
Now we need to configure the Virtual IP address that both firewalls will be using. To do this go
to "Firewall | Virtual IPs" and click on the "Virtual IPs" tab.
We will set the WAN IP address first, press the "Plus" button to add a new Virtual IP, make sure
the IP type is set to "CARP", set the interface to "WAN", set the IP Address, and remember this
is the WAN address that will be used throughout your systems regardless of whether the primary
or backup firewall is in use.
Next create a "Virtual IP Password", leave the "VHID Group" set to 1 and leave the "Advertising
Frequency" at 0, add a description, then save and apply changes.
4. Now we have to configure a Virtual IP address for the LAN interface.
It is basically the same process as above, the only difference is you set the "Interface" to LAN,
change the "VHID Group" to 3 and a different "Description". Save the changes and apply.
As you can see in the "Firewall | Virtual IPs" section you will have two virtual IPs listed as
CARP types.
5. If you log onto the backup firewall's web interface and click on "Firewall | Virtual IPs" you
should see the virtual IPs synchronized to the backup firewall.
Now here's how it works, the two pfSense firewalls will constantly sync their rules, NAT, virtual
IPs and any other settings that you selected in the synchronize options, and for any reason that
the primary firewall dies the backup will seamlessly take its place.
Please be aware when I was testing this there was a 10 second delay for the backup firewall to
take over, because the freeBSD OS has to apply the virtual IP addresses to the interfaces once it
has lost connection to the primary firewall.