In this HowTo I will show you how to configure a pfSense 2.0 Cluster using CARP Failover. pfSense is quite a advanced (open-source) firewall being used everywhere from homes to enterprise level networks, I have been playing around with pfsense now for the last 3 months and to be honest I am not looking back, it is packed full of features and can be deployed easily within minutes depending on your requirements.
You will need two identical computers, with 3 network cards minimum (if these firewalls are going to be on EDGE (front-line firewalls) of your network I highly recommend against virtual machines, VMs will work, it’s just best practice to keep these machines separate from your VM infrastructure (if you have any)), plus a dedicated subnet for the sync network traffic.
Example IP addresses I will be using in this HowTo:
Firewall 1 Firewall 2
WAN IP: 192.168.100.1 WAN IP: 192.168.100.2
SYNC IP: 10.155.0.1 SYNC IP: 10.155.0.2
LAN IP: 192.168.1.252 LAN IP: 192.168.1.253
The 2 IP addresses below will be shared between the firewalls.
WAN Virtual IP: 192.168.100.200
LAN Virtual IP: 192.168.1.254
This HowTo assumes that you already have pfSense installed on both computers and network cards configured with IP address etc., and working knowledge of pfSense too (mainly around the administration web interface).
Example of what we are building below:
Building The Cluster
The first thing you have to configure is a firewall rule on the both boxes to allow the firewalls to communicate with each other on the SYNC cards.
To do that click on “Firewall | Rules”, click on the “SYNC” interface, click on the “Plus” button to add a new firewall rule entry, set “Protocol” to “any”, add a description so you can identify what the rule does, then click on “Save”, and then click “Apply Changes” if necessary.
Remain on the backup firewall, here we have to configure CARP synchronization and configure it to be a backup only, click on “Firewall | Vitrual IPs”, then click on “CARP Settings”, tick the “Synchronize Enabled” checkbox, and select the “Synchronize Interface to SYNC”, then save the changes.
We have now finished configuring the backup firewall; now we have to go and configure CARP sync on the primary firewall.
Log back into your primary firewall, click on “Firewall | Virtual IPs”, click on the “CARP Settings” tab, tick the “Synchronize Enabled” box, select “SYNC” as your default synchronize interface, and place checks in the following boxes: “Synchronize Rules”, “Synchronize NAT”, “Synchronize Virtual IPs”.
Then place the backup firewall’s SYNC IP address in the “Synchronize to IP” box, and set the “Remote System Password” for the backup firewall as well.
Save changes, apply changes if necessary.
Now we need to configure the Virtual IP address that both firewalls will be using. To do this go to “Firewall | Virtual IPs” and click on the “Virtual IPs” tab.
We will set the WAN IP address first, press the “Plus” button to add a new Virtual IP, make sure the IP type is set to “CARP”, set the interface to “WAN”, set the IP Address, and remember this is the WAN address that will be used throughout your systems regardless of whether the primary or backup firewall is in use.
Next create a “Virtual IP Password”, leave the “VHID Group” set to 1 and leave the “Advertising Frequency” at 0, add a description, then save and apply changes.
Now we have to configure a Virtual IP address for the LAN interface.
It is basically the same process as above, the only difference is you set the “Interface” to LAN, change the “VHID Group” to 3 and a different “Description”. Save the changes and apply.
As you can see in the “Firewall | Virtual IPs” section you will have two virtual IPs listed as CARP types.
If you log onto the backup firewall’s web interface and click on “Firewall | Virtual IPs” you should see the virtual IPs synchronized to the backup firewall.
Now here’s how it works, the two pfSense firewalls will constantly sync their rules, NAT, virtual IPs and any other settings that you selected in the synchronize options, and for any reason that the primary firewall dies the backup will seamlessly take its place.
Please be aware when I was testing this there was a 10 second delay for the backup firewall to take over, because the freeBSD OS has to apply the virtual IP addresses to the interfaces once it has lost connection to the primary firewall.
To test this just pull the network cable out or shut the primary firewall down while you have a constant ping going to the LAN or WAN IP address, you might see the address drop out for a few seconds while the other firewall takes over.