Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    From stand-alone pfSense to Cluster HA/CARP

    HA/CARP/VIPs
    2
    2
    47
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      Ivan-70 last edited by

      Dear all,
      In our firm we proudly use a stand-alone pfSense CE firewall installed onto physical hardware.
      Last release and a quite simple configuration:
      - Interfaces: WAN, LAN, WG_VPN
      - VPN: (3 tunnel IPSec, 3 OpernVPN server, 1 WireGuard tunnel)
      - Services (DNS responder, SNMP Deamon and Auto Backup)
      - Some NATs for VPN/IPSEC subnet to LAN and 1 CA for VPN usage
      - Future developments -> freeradius and MFA with OPENVPN/TOTP (LAB test went good!)

      Now, we would join another physical server to the existing one for creating an HA/Carp cluster
      I know the right answer: “install two fresh pfSense from the beginning then copying configuration where possible”.
      May I proceed as follows, instead? (on Sunday, and first of all in a LAB, of course..)

      • Install the new one. I will assign (as an example) 192.168.0.3 to LAN interface, (another example) 9.9.9.3 to WAN interface and 172.18.1.3 to Sync interface
      • Back to the old one. I’ll assign .2 to LAN, WAN and sync interface (172.18.1.2) as done above.
      • On both, configure Rules for the Sync IPs (I’ll need a cross cable. I suppose—)
      • On the old, configuring Virtual IPs CARP/VIP and assign .1 on LAN and WAN
      • On the old. Doing something for Outbound NAT on WAN (please help..)
      • Remap VPN Outbound NATs on LAN Interface to an alias containing both interface addresses of nodes (not CARP VIP, ok)
      • Change interfaces on all my OpenVPN/IPSEC from WAN to WAN-CARP
      • Properly Configure High Availability (pfsync and XMLRPC Sync)
      • Test

      What else will I have to pay attention to?

      Thanks in advance for any suggestion

      Ivan

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS @Ivan-70 last edited by

        @ivan-70 Have a read through https://docs.netgate.com/pfsense/en/latest/recipes/high-availability.html. There is a section on outbound NAT.

        Steve

        Only install packages for your version, or risk breaking it. If yours is older, select it in System/Update/Update Settings.
        When upgrading, let it finish; do not reboot early. Allow 10-15 minutes, or more depending on packages and device speed.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post