Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Build second firewall months after first to setup HA/CARP

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 520 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jamiedallow
      last edited by

      Hi, apologies if this is in the wrong category.

      I've got an existing firewall (VM) running with some configuration. Is it possible to clone that VM/take a backup of the pfSense config and restore to a new VM but allocate a new machine ID (or something) so it knows they are different, then enable HA/CARP? I think I've read that the firewalls have to be built in exactly the same order so interface IDs match etc to be able to enable HA/CARP.

      I've successfully got some firewall clusters setup and running but built both at the same time. I've got 2 instances where I have existing config on a firewall that's been running for months and don't know what order things were added in so would have to 'start again' if I can't do something with a clone/restore.

      Thanks

      V DerelictD 2 Replies Last reply Reply Quote 0
      • V
        viragomann @jamiedallow
        last edited by

        @jamiedallow
        I'd not recommend to clone the machine. I'd rather install a new one and restore the system and interfaces section from the primary's backup.
        However, ensure that the interfaces are not connected to your network, when the machine reboots, to avoid address conflicts.

        Change the IP assignments after and configure CARP and sync.
        All other settings will be synced from the primary then.

        As far as I know, identical network hardware is no more necessary in recent versions, but if possible I'd configure the interfaces in the same order on both though for the sake of clarity.

        1 Reply Last reply Reply Quote 1
        • DerelictD
          Derelict LAYER 8 Netgate @jamiedallow
          last edited by

          @jamiedallow If you built the first with HA in mind, such as making an inside interface using 192.168.1.2 with a VIP as 192.168.1.1 and instructing inside clients to use .1 as their next-hop, it shouldn't be too bad.

          If you didn't there is going to be a lot more work to do.

          I don't particularly like the concept of uploading an existing primary configuration to a new secondary.

          I would much rather see someone take the time to build the interfaces as necessary, establish XMLRPC sync, and sync the existing configuration over to the new node.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 2
          • J
            jamiedallow
            last edited by

            Thanks @viragomann and @Derelict, really appreciate the input. I'll go with the new build as a HA pair (although addresses currently in use would allow for HA to be slotted in without hassle), to make it as clean as possible. I will do a restore to a new VM in a dev environment though and see how nicely that works to know if it's a get out of jail card for future for a quick HA conversion.

            Thanks

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.