Running Two Individual PFSense Box's.
-
Failover often refer to multi-WAN links on the same box, failover of Internet services, not of the firewall. For high-availability FW, shops often run these boxes with a failover dual PSU 'cuz more often than not that what fails, not the whole box.
-
Yes you can run two pfSense boxes in an HA configuration:
https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)
Steve
-
What would the physical set up for a fail over PFSense Box.
I have two servers and the current one that is running the PFSense Firewall currently only has two RJ45 Connections. One for Lan and another for WAN.
Would their be a Ethernet cable run from LAN too the Slave Fail Over PFSense Firewall Box from the master box and thus the slave box connected too the switch.
Or would you run a Ethernet RJ45 Cable directly from the Bridged ISP Box Modem too the slave PFSense Box.
I'm unsure about the actual layout of the cables involved and how too go about setting up the connections.
Also setting up the Fail Over Slave Box; would their have too be any packages installed on top of the default installation threw the Web GUI.
-
You don't have to use a dedicated sync interface on each node. You can send sync data via the LAN for example but it's not recommended.
Steve
-
Check that linked wiki page, this is the way you would connect it:
https://doc.pfsense.org/index.php/File:CARP_Setup.png
It means:
- the boxes need 3 or more interfaces
- You need at least 1 switch with VLANs or 2 switches
- HA is configurable in pfSense by default, it's in the menus, instructions are on the same wiki page
I'll have a look at the guides available as I want too do this, but can I ask. Were does Two Switches come in; instead of VLANS.
I have three switches hear at home and I'm only using one of them. I have another two in my cupboard so could I use these instead of having a switch that supports VLANS because these do not. Just 10 \ 100 Switches ..
-
Common setup would be as in the diagram on the wiki page.
A switch on the WAN side with the WAN from both nodes and the uplink to the ISP connected to it.
A switch on the LAN side with the LAN interface from both nodes and other internal resources connected to it.
If you use VLANs you can segregate ports on one switch to use in both these locations. That does then rely on your switch not ever forgetting it's config and defaulting back to dumb switch mode. We have seen that happen. Too many times!
Steve
Edit: typo
-
There is no authentication on the pfsync protocol. If you use LAN there anyone on LAN can probably spoof pfsync states which would effectively be the same as being able to arbitrarily insert firewall rules.
That is why it is highly-recommended that the SYNC be conducted on a separate interface.
If you do use one interface you should probably pass pfsync from the other node then block pfsync from LAN net. Note that you will need to create rules on the primary that pass pfsync from its own LAN interface and from the other node's LAN interface. That is probably spoofable, however, as I do not believe there is a response to pfsync required (just like UDP). I have not looked at it in detail.
In general, if it is worth HA it is worth doing correctly. If you're just labbing for the heck of it, then whatever.
-
Hey,
I'm just wanting too make sure I have this correct before I attempt too change anything or configure anything.
I'm looking at the diagram on the Wiki page and I'm also looking at the hardware and my configuration and how I currently have it now.
So just too be clear:
WAN Switch > Master PFSense Box (on WAN) \ Slave PFSense Box (on WAN) \ Uplink too Internet (Bridged Modem)
Internet > ISP Box >
LAN Switch > Master PFSense Box (on LAN) \ Slave PFSense Box (on LAN) \ Other Systems and devicesWould I run an RJ45 Ethernet Cable from WAN Switch too LAN Switch ..
For convenience have them colour coordinated and placed in a Logical order.
-
Would I run an RJ45 Ethernet Cable from WAN Switch too LAN Switch ..
No.
-
Would I run an RJ45 Ethernet Cable from WAN Switch too LAN Switch ..
No.
In that case would the two PFSense Boxes be connected directly with the Ethernet Cable.
-
If you have a third interface, yes. You need an interface for XMLRPC sync and pfsync. If you do not have one, and cannot make a VLAN, that would be the LAN. They will communicate via the switch. No need for a cable.
-
WAN Switch > Master PFSense Box (on WAN) \ Slave PFSense Box (on WAN) \ Uplink too Internet (Bridged Modem)
Internet > ISP Box >
LAN Switch > Master PFSense Box (on LAN) \ Slave PFSense Box (on LAN) \ Other Systems and devicesIs this the correct layout with the two switches ..
Also I have been watching YT Videos of PFSense and setting up a HA set up .
I just wanted to be clear before I start moving things ect.
I like too do my homework first. :D ..
Thanks.
-
The ASCII diagram is a little unclear. ;)
It should be setup exactly as it is shown in the wiki doc:
The top device there, labelled 'DSL router' would be your WAN side switch. Though if you have DSL it could be a DSL router with built in switch potentially.
Steve
