Setup HA after up and running for a few months



  • So I've had my PFSense at home running now for a couple of months and everything is awesome.  Was a bit of a learning curve coming over from Sophos UTM.

    Today I decided that I was going to setup HA with it.  Lol at first I thought it would just be a simple here is the sync interface now go like Sophos is.  However I've learned through reading through the docs its not that simple

    I'm currently running PFSense 2.3.2-RELEASE-p1 (amd64)

    So I have the following services running
    HAProxy,Squid,Squid Guard,Snort

    I have 9 VLANs

    Main LAN 192.168.10.1/24
    Servers 192.168.9.1/24
    DMZ 192.168.2.1/24
    Cameras 192.168.5.1/24
    Management 192.168.6.1/24
    Misc 192.168.7.1/24
    Kids 192.168.80.1/24
    Radius 192.168.4.1/24
    WirelessBridge 192.168.3.1/24

    I do have 5 Static Public IPs but they're already setup and tied back to various things here at the house

    So from what I understand with CARP I need to assign a VIP to each of the VLANS and set it up as CARP

    But for the WAN side I want to be able to leave them setup and tied back to their various services that they serve up here at the house (SSL/VPN/etc)

    So I installed a whole fresh VM on my other esxi node today.  Before I started to go to work I took a snapshot of my current one and I was quite glad I did lol because I ended up rolling back.

    The new node when the sync started to take place was complaining that it didn't have all of the VLAN interfaces that the primary did so I started to create them and then thats when things went south.  I lost all connectivity to my primary box and I decided at this point that I would just roll back to my snapshot and turn down the new box until I could figure this thing out and the appropriate steps.

    So what I was wondering is, should I take a backup of my current box and then load that onto what will become the secondary node?  Then once I do that turn on the sync?

    How do I configure the WAN side of the house to leave my IPs alone but still be able to HA with them?  Also do I need to install all of the packages that the primary has on the secondary before I setup the sync?  Or will it see that its missing this package and just install it for me?

    Sorry for the 20 questions I'm just trying to figure this out and most of the guides out there seem to start from fresh installs and not where you're adding HA down the road.  Thank you all in advance for your assistance with this I look forward to getting this in place because well its nice to have HA firewalls when I need to upgrade one of the ESXi hosts be it ESXi itself or the firmware for the box.



  • Basically you have to change the interface IP on all your vlan's to .2 (or something) and make a CARP VIP on that vlan for .1
    On the WAN, make sure the NAT forwards are pointing to VIPs (CARP) and not the interface IP. Change the interface IP if needed, add a VIP and re-configure the port forwards. It's easiest if you can change all the vlans from your main lan, then switch to a vlan to re-configure the LAN. As far as all the packages you are running, I don't know. I avoid running anything but simple packages on HA boxes.



  • Yust FYI, its possible to assign the wan interfaces on a private subnet, and still have all 5 public ip's as carp-ip's , or possibly better, have 1 carp-ip and 4 aliases using the carp-vip as a parent. Having it like that does come with its own 'troubles' though, like backup box not being able to access the internet.. (updates/dns/stuff..) as all usable ips are on the master box..



  • Thank you both for your responses.

    So when building out the secondary server should I build out all of the vlans on there first before turning on the sync?  Would it just be easier if I just restored the backup from the primary?  Thanks.


  • Netgate

    Build all the interfaces first. Make them exactly match the primary, in the same order, but with a different interface address, obviously.