Running Two Individual PFSense Box's.



  • Hey,

    I'm curious too know if its possible too run two individual Pf Sense Box's and have one system that will act as a redundant back up for the primary.

    Have the various Ethernet connections set up accordantly and simply leave one hardware system to take the load if my primary Pf Sense Box goes down.

    I have two servers hear and I would not mind using them if possible.

    Can someone explain if this is possible how to do this.

    I was looking in too Fail Over but wasn't sure if I was getting confused with an actual physical internet connection as in having two lines in my property.

    Thanks.



  • Failover often refer to multi-WAN links on the same box, failover of Internet services, not of the firewall. For high-availability FW, shops often run these boxes with a failover dual PSU 'cuz more often than not that what fails, not the whole box.


  • Netgate Administrator

    Yes you can run two pfSense boxes in an HA configuration:

    https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)

    Steve



  • What would the physical set up for a fail over PFSense Box.

    I have two servers and the current one that is running the PFSense Firewall currently only has two RJ45 Connections. One for Lan and another for WAN.

    Would their be a Ethernet cable run from LAN too the Slave Fail Over PFSense Firewall Box from the master box and thus the slave box connected too the switch.

    Or would you run a Ethernet RJ45 Cable directly from the Bridged ISP Box Modem too the slave PFSense Box.

    I'm unsure about the actual layout of the cables involved and how too go about setting up the connections.

    Also setting up the Fail Over Slave Box; would their have too be any packages installed on top of the default installation threw the Web GUI.


  • Netgate Administrator

    You don't have to use a dedicated sync interface on each node. You can send sync data via the LAN for example but it's not recommended.

    Steve



  • Check that linked wiki page, this is the way you would connect it:

    https://doc.pfsense.org/index.php/File:CARP_Setup.png

    It means:

    I'll have a look at the guides available as I want too do this, but can I ask. Were does Two Switches come in; instead of VLANS.

    I have three switches hear at home and I'm only using one of them. I have another two in my cupboard so could I use these instead of having a switch that supports VLANS because these do not. Just 10 \ 100  Switches ..


  • Netgate Administrator

    Common setup would be as in the diagram on the wiki page.

    A switch on the WAN side with the WAN from both nodes and the uplink to the ISP connected to it.

    A switch on the LAN side with the LAN interface from both nodes and other internal resources connected to it.

    If you use VLANs you can segregate ports on one switch to use in both these locations. That does then rely on your switch not ever forgetting it's config and defaulting back to dumb switch mode. We have seen that happen. Too many times!

    Steve

    Edit: typo


  • Netgate

    There is no authentication on the pfsync protocol. If you use LAN there anyone on LAN can probably spoof pfsync states which would effectively be the same as being able to arbitrarily insert firewall rules.

    That is why it is highly-recommended that the SYNC be conducted on a separate interface.

    If you do use one interface you should probably pass pfsync from the other node then block pfsync from LAN net. Note that you will need to create rules on the primary that pass pfsync from its own LAN interface and from the other node's LAN interface. That is probably spoofable, however, as I do not believe there is a response to pfsync required (just like UDP). I have not looked at it in detail.

    In general, if it is worth HA it is worth doing correctly. If you're just labbing for the heck of it, then whatever.



  • Hey,

    I'm just wanting too make sure I have this correct before I attempt too change anything or configure anything.

    I'm looking at the diagram on the Wiki page and I'm also looking at the hardware and my configuration and how I currently have it now.

    So just too be clear:

    WAN Switch > Master PFSense Box (on WAN)    \    Slave PFSense Box (on WAN)    \    Uplink too Internet (Bridged Modem)
    Internet > ISP Box >
                                        LAN Switch > Master PFSense Box (on LAN)    \    Slave PFSense Box (on LAN)    \    Other Systems and devices

    Would I run an RJ45 Ethernet Cable from WAN Switch too LAN Switch ..

    For convenience have them colour coordinated and placed in a Logical order.


  • Netgate

    Would I run an RJ45 Ethernet Cable from WAN Switch too LAN Switch ..

    No.



  • @Derelict:

    Would I run an RJ45 Ethernet Cable from WAN Switch too LAN Switch ..

    No.

    In that case would the two PFSense Boxes be connected directly with the Ethernet Cable.


  • Netgate

    If you have a third interface, yes. You need an interface for XMLRPC sync and pfsync. If you do not have one, and cannot make a VLAN, that would be the LAN. They will communicate via the switch. No need for a cable.



  • WAN Switch > Master PFSense Box (on WAN)    \    Slave PFSense Box (on WAN)    \    Uplink too Internet (Bridged Modem)
    Internet > ISP Box >
                                        LAN Switch > Master PFSense Box (on LAN)    \    Slave PFSense Box (on LAN)    \    Other Systems and devices

    Is this the correct layout with the two switches ..

    Also I have been watching YT Videos of PFSense and setting up a HA set up .

    I just wanted to be clear before I start moving things ect.

    I like too do my homework first. :D ..

    Thanks.


  • Netgate Administrator

    The ASCII diagram is a little unclear.  ;)

    It should be setup exactly as it is shown in the wiki doc:

    The top device there, labelled 'DSL router' would be your WAN side switch. Though if you have DSL it could be a DSL router with built in switch potentially.

    Steve