System / High Availability Sync Settings without CARP
dbennett last edited by
Hope the Subject caught your attention. This is pretty simple but before doing this I wanted solid constructive opinions.
I have two pfSense servers; one is an active gateway and the other is identical in configuration but on a powered on 'Stand-by'. If the primary goes down, I have to manually move the cables to fail over. I don't have ready access to the backup to make configuration changes so my thought was to use the System / High Availability Sync on a dedicated port.
AFter looking at the settings, it seemed clear to me that the configuration should replicate over without issue. Also, if I choose to include the state changes, move the cables manually to the backup SHOULD reduce the amount of time it would take to get backup and running.
So my question is why should I NOT do this? Why is connecting to identically configured servers together via a sync cable? Remember: the other interfaces (em0, em1, em2, etc…) do not have an active connection to the WAN / DMA / LAN etc...
Looking forward to your response.
Guest last edited by
VRRP is licensed and fee must be paid & HSRP is a proprietary protocol from Cisco, both are doing what CARP is also
able to realize for you, an automatic "swap" over if one device is failing, but it can do more then the other both will
ever do for you, and on top it is free of charge! Load balancing over MAC address and whole units or pushing the
state too might be two of the extra goodies given to you. The main term is here pointed to do or realize this
I don't have ready access to the backup to make configuration changes so my thought was to use the System / High Availability Sync on a dedicated port.
This might be even bad to hear that you will not have physically access to the backup unit, why?
You ask for swapping over the cable manually and you will not having directly access to the backup unit?
Can please come closer to that point?
Also, if I choose to include the state changes, move the cables manually to the backup SHOULD reduce the amount of time it would take to get backup and running.
In normal there are in front of that HA build one switch with modems connected and one switch after the HA build
(both units) that is holding the entire rest of the LAN equipment. Nothing to do manually in my eyes.
So my question is why should I NOT do this?
One switch in front of and one after that HA setup and you will tell us you have not contact to that backup unit,
but you ask for manually swapping over the cable?
Why is connecting to identically configured servers together via a sync cable?
It for the message from one to another unit "I am alive" and if this will not be send anymore, the second unit is
taking over, automatically, it is a master / slave "system"! There fore will be used pfsync to transmit also the
state tables or keep alive packets and this might be bringing you (us) the ability that we don´t loose all active
connections that the master will have at this time, before failing. And the virtual MACX & IP address must be
swapped over too! From the master to the slave, that will be the new master then!
dbennett last edited by
Thank you very much for taking the time to comment. After rereading what I posted, I realize I posted it to soon. There is definitely information missing and some of the sentences seem to be incomplete.
Ok, as for your post:
I have 6 other firewalls that are in a CARP configuration and they are humming along with zero issues (knock on wood). I have mine setup with a bi-directional state sync. It has made my fail overs and fail backs seamless.
The reason these two units are NOT in a CARP setup is simply because this pfSense is directly connected to the ISP equipment and we only have one supplied port from them. I realize simply putting a switch in front of the gateway would allow us to CARP the two pfSenses together but I don't have an extra one to do this. It is our gateway router.
Why I don't have ready access to the backup gateway?? That actually was not accurate. I have physical access and console access to the firewall BUT since the configuration is IDENTICAL to the primary, I don't have GUI access to the unit.
So it's my understanding then that transferring the sync state across to the backup is a waste of time. But syncing configuration changes from the primary to the standby will work.
Again thanks for your time.