• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Configure AWS Pfsense instance to failover IPsec to another instance

Scheduled Pinned Locked Moved IPsec
3 Posts 3 Posters 1.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • E
    erosalesMBGE
    last edited by erosalesMBGE Aug 24, 2018, 9:46 PM Aug 24, 2018, 9:44 PM

    Hi,

    i'm trying to have High Availability in AWS for my Pfsense instance, this instance has IPsec tunnels and also is the firewall of the instances behind the Pfsense. the rest of the instances are HA already with the AutoScaling service, but this approach does not work well with Pfsense. I launched a new pfsense in another AZ to function as the "slave". I configured it with the password and settings like that. In the "master" pfsense i configured the System -> High Avail Sync as the follow:
    Master
    Synchronize states: Enabled
    Synchronize Interface: WAN
    pfsync Synchronize Peer IP: Here i put the private IP of the WAN interface of the failover
    Synchronize Config to IP: Here i put the private IP of the WAN interface of the failover
    Remote System Username: admin (of the Failover)
    Remote System Password: admin password (of the Failover)
    Select options to sync: Everything selected

    Slave
    Synchronize states: Disabled
    Synchronize Interface: WAN
    pfsync Synchronize Peer IP: empty
    Synchronize Config to IP: empty
    Remote System Username: empty
    Remote System Password: empty
    Select options to sync: empty

    Then i went to Firewall -> Virtual IP (Master)
    For WAN:
    i choose type CARP
    WAN interface
    Address: i put 198.51.100.200/24
    VIP Password: random password
    base 1 Skew 0

    For LAN:
    i choose type CARP
    WAN interface
    Address: i put 192.168.1.1
    VIP Password: random password
    base 1 Skew 0

    In Slave i did not modify this part. In here is where i'm stucked because both appears as Master.

    1 Reply Last reply Reply Quote 0
    • H
      hexblogger
      last edited by Apr 26, 2019, 1:37 AM

      I know this topic is a bit old but I have not seen any solution so far. CARP will not work in AWS or Azure due to lack of multicast. Protocols like VRRP/GLBP are also not supported. However, I created a solution with scripting that I am hoping can help someone to setup some redundancy in AWS between two pfSense instances. I have been using this method for some time and it works very well. Here is a blog post that outlines how to achieve cluster/HA setup in AWS.
      http://www.hexblogger.com/index.php/2019/04/24/pfsense-cluster-in-aws/

      1 Reply Last reply Reply Quote 1
      • C
        cpetty22
        last edited by Oct 3, 2020, 10:09 PM

        The original link is broken. Here is a new one.
        https://www.hexnetworks.com/2019/04/24/pfsense-cluster-in-aws/

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          [[user:consent.lead]]
          [[user:consent.not_received]]