Pfsync w/o CARP
-
Any way to enable pfsync ( so that two firewalls can keep in sync ) without using CARP, or are they tied together? I am looking to keep two firewalls with the same set of rules but not deal with the CARP fail over, as the managed switch will handle fail over.
Thanks!
-
How is your switch going to handle failover?
pfsync isn't what synchronizes rules though, that synchronizes firewall states. Not sure if you can use the XMLRPC sync for rules without using CARP, someone else will have to chime in on that.
-
Ah, ok. Thanks for the info. Saving states would be nice but syncing the rules would be my main goal. I could probably script something (or add a feature to the GUI such that when one updates its rules, it'll send it over to the other ones).
The failover is done by HSRP, http://en.wikipedia.org/wiki/Hot_Standby_Router_Protocol, which is similar to CARP.
-
I asked how you were going to fail over with the switch because I think you may be misunderstanding the capabilities of your switch. If it supports HSRP, it's only on L3 functionality of the switch, and it's only going to fail the switch's routing capabilities over to another switch (or HSRP capable router). HSRP isn't going to allow you to fail between pfsense boxes, you'll need CARP and pfsync for that.
-
I have gotten this to work by just enabling "Synchronize Enabled" in the CARP Settings and selecting the interface desired, the firewalls will find each other via multicast and tell each other what states they have. I am load balancing across multiple firewalls and need to handle as many states as possible. I have also gotten syncing of rules working by following all the instructions for CARP but leaving out the virtual IP parts.