Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Configure AWS Pfsense instance to failover IPsec to another instance

    Scheduled Pinned Locked Moved
    IPsec
    3
    3
    1.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      erosalesMBGE
      last edited by erosalesMBGE

      Hi,

      i'm trying to have High Availability in AWS for my Pfsense instance, this instance has IPsec tunnels and also is the firewall of the instances behind the Pfsense. the rest of the instances are HA already with the AutoScaling service, but this approach does not work well with Pfsense. I launched a new pfsense in another AZ to function as the "slave". I configured it with the password and settings like that. In the "master" pfsense i configured the System -> High Avail Sync as the follow:
      Master
      Synchronize states: Enabled
      Synchronize Interface: WAN
      pfsync Synchronize Peer IP: Here i put the private IP of the WAN interface of the failover
      Synchronize Config to IP: Here i put the private IP of the WAN interface of the failover
      Remote System Username: admin (of the Failover)
      Remote System Password: admin password (of the Failover)
      Select options to sync: Everything selected

      Slave
      Synchronize states: Disabled
      Synchronize Interface: WAN
      pfsync Synchronize Peer IP: empty
      Synchronize Config to IP: empty
      Remote System Username: empty
      Remote System Password: empty
      Select options to sync: empty

      Then i went to Firewall -> Virtual IP (Master)
      For WAN:
      i choose type CARP
      WAN interface
      Address: i put 198.51.100.200/24
      VIP Password: random password
      base 1 Skew 0

      For LAN:
      i choose type CARP
      WAN interface
      Address: i put 192.168.1.1
      VIP Password: random password
      base 1 Skew 0

      In Slave i did not modify this part. In here is where i'm stucked because both appears as Master.

      1 Reply Last reply Reply Quote 0
      • H
        hexblogger
        last edited by

        I know this topic is a bit old but I have not seen any solution so far. CARP will not work in AWS or Azure due to lack of multicast. Protocols like VRRP/GLBP are also not supported. However, I created a solution with scripting that I am hoping can help someone to setup some redundancy in AWS between two pfSense instances. I have been using this method for some time and it works very well. Here is a blog post that outlines how to achieve cluster/HA setup in AWS.
        http://www.hexblogger.com/index.php/2019/04/24/pfsense-cluster-in-aws/

        1 Reply Last reply Reply Quote 1
        • C
          cpetty22
          last edited by

          The original link is broken. Here is a new one.
          https://www.hexnetworks.com/2019/04/24/pfsense-cluster-in-aws/

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.