PfSense 2.0 CARP/Redundant firewall How-To?



  • Hi All,

    I've got a need to set up a pair of pfSense firewalls in a primary/failover way, with 3 WAN IPs, one for the primary, one for the failover, and one for the "floating" IP.  I'll have OpenVPN running on these guys as well, hopefully syncing the users database, certificates and OpenVPN config between the two firewalls.  Is there a "HowTo" on how to set this up with pfSense 2.0?  I saw a tutorial on how to do it on what looks like version 1 here:

    http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)

    and here:

    ftp://reflection.ncsa.uiuc.edu/pub/pfSense/tutorials/carp/carp-cluster-new.htm

    But those look kind of dated.  Is there a HowTo somewhere for version 2.0 that would accomplish what I'm looking to do?  I searched the forums quickly but saw nothing really definitive…

    Thanks for any insight/links!

    Cheers.



  • No one knows (or wants to respond)?  ;)  Is it that complicated?



  • It hasn't really changed, the existing info is still applicable.



  • Great!  Thanks, that's all I needed.  Except I have one more question…  ;)

    If I configure advanced outbound NAT, which defines the source IP address the outbound packets have (the virtual IP), is there any way to still connect to each admin web interface individually, or would I be forced to connect to whichever machine is the 'master' at the time?  Even if the outbound NAT config of both machines is rewriting the return packets' IP to look the same on both?  Does my line of thinking make sense?

    Thanks again!



  • You always want to connect only to the interface IPs for management, so you're 100% sure which box you're on. That's covered in detail in http://pfsense.org/book and is all the same on 2.0.


Locked