Build second firewall months after first to setup HA/CARP
-
Hi, apologies if this is in the wrong category.
I've got an existing firewall (VM) running with some configuration. Is it possible to clone that VM/take a backup of the pfSense config and restore to a new VM but allocate a new machine ID (or something) so it knows they are different, then enable HA/CARP? I think I've read that the firewalls have to be built in exactly the same order so interface IDs match etc to be able to enable HA/CARP.
I've successfully got some firewall clusters setup and running but built both at the same time. I've got 2 instances where I have existing config on a firewall that's been running for months and don't know what order things were added in so would have to 'start again' if I can't do something with a clone/restore.
Thanks
-
@jamiedallow
I'd not recommend to clone the machine. I'd rather install a new one and restore the system and interfaces section from the primary's backup.
However, ensure that the interfaces are not connected to your network, when the machine reboots, to avoid address conflicts.Change the IP assignments after and configure CARP and sync.
All other settings will be synced from the primary then.As far as I know, identical network hardware is no more necessary in recent versions, but if possible I'd configure the interfaces in the same order on both though for the sake of clarity.
-
@jamiedallow If you built the first with HA in mind, such as making an inside interface using 192.168.1.2 with a VIP as 192.168.1.1 and instructing inside clients to use .1 as their next-hop, it shouldn't be too bad.
If you didn't there is going to be a lot more work to do.
I don't particularly like the concept of uploading an existing primary configuration to a new secondary.
I would much rather see someone take the time to build the interfaces as necessary, establish XMLRPC sync, and sync the existing configuration over to the new node.
-
Thanks @viragomann and @Derelict, really appreciate the input. I'll go with the new build as a HA pair (although addresses currently in use would allow for HA to be slotted in without hassle), to make it as clean as possible. I will do a restore to a new VM in a dev environment though and see how nicely that works to know if it's a get out of jail card for future for a quick HA conversion.
Thanks