Configuring pfSense Hardware Redundancy (CARP) - PFSenseDocs http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redun...

Search

Personal tools

Log in

Configuring pfSense Hardware Redundancy

(CARP)
From PFSenseDocs

Contents
1 pfSense Hardware Redundancy with CARP
2 Overview of a pfSense-CARP setup
2.1 Setting up dedicated pfsync interface
2.2 Enable pfSync
2.3 Adding CARP shared virtual IP addresses
2.4 Preparing for XMLRPC Sync
2.5 Setting up advanced outbound NAT
2.6 Setting DHCP Server to use CARP LAN IP Address
2.7 Checking that XMLRPC sync worked
2.8 VMware ESX Users

pfSense Hardware Redundancy with CARP

This guide is brief and omits important considerations. You should read the hardware
redundancy chapter in the pfSense book (http://pfsense.org/book) before configuring CARP.

From the Tutorials page:

Building a fully redundant Cluster with 2 pfSense-systems between WAN/LAN with CARP &
pfsync / pfSense CARP & pfsync failover-simulation

http://www.pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm

This next part is a work-in-progress editing of the old tutorial. It may be right, it may take some
work.

1 of 4 06/02/2011 23:54
Configuring pfSense Hardware Redundancy (CARP) - PFSenseDocs http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redun...

Overview of a
pfSense-CARP
setup
You need one real IP address
for every CARP cluster host.
So, if you want to have 2
cluster members, you will
need 2 IP addresses for the
real interfaces and then an IP
for each virtual IP address.
So in this case it would
amount to 3. In the example
shown to the right, the
primary CARP clusters WAN
IP address is 127.29.29.1 and
the backup firewalls WAN IP
address is 127.29.29.2. The
primary clusters LAN IP
address is 192.168.1.2 and
the backup firewall's LAN IP
address is 192.168.1.3.

Setting up dedicated
pfsync interface

We strongly advise using a

dedicated interface for
pfsync. Example CARP Setup Diagram

Set up each cluster sync

interface, give it an IP address in the same subnet. Example: on the master cluster member enter
192.168.4.1 and on the backup cluster member enter 192.168.4.2 for the IP address. Use a /24
subnet.

Enable pfSync

Enable pfSync in Firewall -> Virtual IPs -> CARP settings -> Synchronize Enabled (check it) on
all cluster members.
-> Synchronize Virtual IPs [ X ]
-> Synchronize to IP [ insert Slave IP ONLY on Master! ]
-> Remote System Password [ do not forget! ]

Select the dedicated Sync interface with the Synchronize Interface dropdown on all cluster
members.

Afterward visit Firewall -> Rules and add an allow all from any to any rule on each cluster
member for the newly created pfsync interface.

Adding CARP shared virtual IP addresses

2 of 4 06/02/2011 23:54
Configuring pfSense Hardware Redundancy (CARP) - PFSenseDocs http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redun...

Now on the master cluster member add a virtual IP addresses of the CARP type in Firewall ->
Virtual IPs. Make sure that the virtual IP addresses fall within the same subnet of an IP address
defined on real interface (WAN, LAN, OPT1, etc.). You need to dedicate a unique VHID per
shared virtual IP address. The lowest skew states that the host should be a master. The XMLRPC
process will automatically add +100 to each host while syncing. So we recommend setting the
skew to 0 on the master hosts CARP virtual IPs. pfSense will handle the rest.

Preparing for XMLRPC Sync

Now set the same Admin password and protocol for the webConfigurator (HTTP/HTTPS) on each
cluster member

On the master cluster member, visit Firewall -> Virtual IPs -> CARP Settings and enter the 2nd
cluster members sync ip address (earlier in example was 192.168.4.2). Afterwards, enable all
sections you want to sync (Synchronize rules, Synchronize aliases, Synchronize nat, ..*). This
will automatically push configurations from the master cluster member to the backups. Click
save. You should see the virtual ip addresses automatically synchronized to the backup hosts

Setting up advanced outbound NAT

Enable advanced outbound NAT in Firewall -> NAT -> Outbound -> Enable advanced outbound
NAT. Click save.

Edit the automatically added rule for LAN. Pick a shared CARP virtual IP address as the
Translation IP address. Give the item a description and click Save.

Setting DHCP Server to use CARP LAN IP Address

On both firewalls, visit Services -> DHCP Server. Click on the LAN tab. Set the default gateway to
192.168.1.3. Click save.

It also may be a good idea to enable failover DHCP. Enter 192.168.1.2 in the failover peep box on
the primary and 192.168.1.1 on the backup server. Click save.

Checking that XMLRPC sync worked

Visit the backup cluster member and verify that NAT, Virtual IP's and rules have been
synchronized correctly.

Finally on the backup host, visit Firewall -> Virtual IPs -> CARP settings -> and enable
"Synchronize Enabled" and make sure that your pfSync interface is correct. Click save.

That's it! Enjoy your failover firewall solution.

VMware ESX Users

1. Enable promiscuous mode on the vSwitch

2. Enable "MAC Address changes"
3. Enable "Forged transmits"

Retrieved from "http://doc.pfsense.org/index.php

/Configuring_pfSense_Hardware_Redundancy_(CARP)"
Categories: Howto | CARP | High Availability

3 of 4 06/02/2011 23:54
Configuring pfSense Hardware Redundancy (CARP) - PFSenseDocs http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redun...

Privacy policy About PFSenseDocs Disclaimers

This page was last modified on 29 April 2010, at 19:18. This page has been accessed
29,936 times.

4 of 4 06/02/2011 23:54