From stand-alone pfSense to Cluster HA/CARP
In our firm we proudly use a stand-alone pfSense CE firewall installed onto physical hardware.
Last release and a quite simple configuration:
- Interfaces: WAN, LAN, WG_VPN
- VPN: (3 tunnel IPSec, 3 OpernVPN server, 1 WireGuard tunnel)
- Services (DNS responder, SNMP Deamon and Auto Backup)
- Some NATs for VPN/IPSEC subnet to LAN and 1 CA for VPN usage
- Future developments -> freeradius and MFA with OPENVPN/TOTP (LAB test went good!)
Now, we would join another physical server to the existing one for creating an HA/Carp cluster
I know the right answer: “install two fresh pfSense from the beginning then copying configuration where possible”.
May I proceed as follows, instead? (on Sunday, and first of all in a LAB, of course..)
- Install the new one. I will assign (as an example) 192.168.0.3 to LAN interface, (another example) 126.96.36.199 to WAN interface and 172.18.1.3 to Sync interface
- Back to the old one. I’ll assign .2 to LAN, WAN and sync interface (172.18.1.2) as done above.
- On both, configure Rules for the Sync IPs (I’ll need a cross cable. I suppose—)
- On the old, configuring Virtual IPs CARP/VIP and assign .1 on LAN and WAN
- On the old. Doing something for Outbound NAT on WAN (please help..)
- Remap VPN Outbound NATs on LAN Interface to an alias containing both interface addresses of nodes (not CARP VIP, ok)
- Change interfaces on all my OpenVPN/IPSEC from WAN to WAN-CARP
- Properly Configure High Availability (pfsync and XMLRPC Sync)
What else will I have to pay attention to?
Thanks in advance for any suggestion
@ivan-70 Have a read through https://docs.netgate.com/pfsense/en/latest/recipes/high-availability.html. There is a section on outbound NAT.