Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Move from single firewall to HA

    Scheduled Pinned Locked Moved
    HA/CARP/VIPs
    2
    2
    633
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Honest_Matt
      last edited by

      Is there a documented way to move from an existing pfsense setup to a 2 node HA setup, without manually having to recreate all the rules & VPNs?

      Many thanks,
      Matt

      MrPeteM 1 Reply Last reply Reply Quote 0
      • MrPeteM
        MrPete @Honest_Matt
        last edited by

        @honest_matt Not documented, but here are some hints that may help. I'm still in the process:

        1. Convert your existing setup to use CARP VIP's (Virtual IP's - Firewall->Virtual IP) as the primary IP, and an alternate IP for direct access to that box. The CARP IP should be the gateway for any VLAN etc. It also should be what is provided as DHCP and DNS IP in DHCP server.

        2. Change your WebGUI to specify a specific port for SSL instead of the default 443. You'll want this later with HAproxy. (It's set in System->Advanced->TCP Port)

        3. Add an additional interface just for sync. I call mine HA. Give it its own subnet, and add a rule for HA that allows the HA net to talk to HA net freely.

        4. Do NOT yet define HA sync stuff.

        5. Do a backup. Save the XML file. Examine the XML. Record the interfaces assigned to WAN, LAN, and OPT1-n -- the new/mirror box must have the exact same interfaces assigned the same way.

        6. Put the backup XML on a USB stick, name the file config.xml

        7. Set up the mirror pfSense. Reboot with the USB stick in place, and NOT connected to your WAN or LAN. It should auto-configure itself with everything from the primary box.

        8. Attach directly to the new box. Change the interface IP's to be different from the other box. Leave WAN undefined for now. Once that's done you should be able to attach the HA Sync ethernet.

        9. Follow standard instructions to define HA Sync / XML-RPC on Primary and Secondary. At this point, any changes on primary should propagate to secondary.

        10. You're on your way... there is still more to configure.

        • WAN
        • DNS and DHCP sync/failover
        • Any other failovers

        It's a pretty big deal ;)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post