Carp Support 2 PFSENSE boxes and 1 exeternal IP

fastcon68

I have one physical box (x-6000) and a (x-500) as cold backup.  I if add a 40 GB hd to both units.  I had read a while back that it would support 1 external IP accross both boxes.

x-6000 - - - -\ (external IP - active node)
                    \–--------------------------------- DSL Modem (Bridge Modem)
                    /
x-500 -------/ (external IP - Passive node)

I trying to find out if this is possible.  This would solve my issue of upgrading my firewalls.  I am picking one version and staying with it until  the final release.

I really need to have a backup device in case my primary firewall carshes.

What is the status of the of this and how does it work.
RC

KimmoJ

Works just fine. Here's a step by step tutorial. It's for the 1.2 series but it's very similar for 2.0 RC.

http://www.pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm

Basically, you put one external and one internal IP on both boxes, then create two virtual IP's, one external and one internal, and use those to connect to the firewall cluster. Your firewall boxes need at least three network ports each, as well. There are potential issues - one of the more obvious ones is needing three "real" external IP addresses. If you work for a company that has a block of addresses then that's not an issue, otherwise you'll need to do layers of NAT and get other single points of failure. But it does give you redundancy on the firewall, at least.

cmb

You need at least two public IPs, 3 static ones if you want stateful failover.