Can i have 2 pfsense boxes mirrored for redundancy?



  • SO, i have a Wireless ISP.. I have good redundancy everywhere apart for my pfSense firewall box.. its just running on a beefed up PC.

    Can i have a second box (or even better a VM) which is a complete mirror of my main one so that if that main one went down, it would automatically kick in and keep things going smoothly?





  • I have read that and it seems that it is what i need to do.. But not sure how i go about this.. So i have a physical box up and running, which is what i want to create a mirror of.. so do i create a VM with the same pfSense version and then change some settings in CARP on the main box to get the second (VM) to mirror it?



  • Or just have two similar boxes and do carping between those.



  • CARP and pfsync is tedious but easy. I had it setup in about 30 minutes the first time.



  • @Metu69salemi:

    Or just have two similar boxes and do carping between those.

    If possible i would like the second to be on my ESXi server, as it will be completely backed up and on a powerful machine.

    So i have to install VM, and then the CARP settings you say are easy are done from the original box?  Also, the original box is where my squid cache is kept, adn i really need this.. so is this also able to be mirrored to the VM, or can i actually move the cache from the main box to a NAS or something? Will pfsense work as a squid transparent proxy if the cache phyiscally is on another box?



  • so long as you can setup the necessary network requirements, there is not a problem using ESX. just follow the ESX guidelines.

    http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)

    There is a section on ESX as the bottom.



  • Thanks, thats the same info i have read before.. it honestly makes no sense to me at all.. is there no simple step by step tutorials available for this?  I thought this would be something that alot of people would be doing.



  • @luke240778:

    Thanks, thats the same info i have read before.. it honestly makes no sense to me at all.. is there no simple step by step tutorials available for this?  I thought this would be something that alot of people would be doing.

    There is a step by step in the book. You just have to apply the ESX options at the bottom. You can try this also.

    http://www.pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm



  • That is for 1.2.3, but the concept and all the steps are similar.



  • Would love to buy that book.. if it was for 2.0!!  This looks easier to understand, just 1 thing i am not sure about, it shows having a main switch with 2 pfSense boxes connected, and that it needs a physical cross over cable between boxes..  Not sure how i can do this.. i have a fiber optic conection which is 1 CAT5 cable from Fiber modem into my WAN port on my pfSense box.. and i only have 1 public ip address..  which is my current WAN IP



  • It covers the basics which are still in 2.0. The new book is pending. you don't have to have the crossover, you can use the LAN interface. It is not recommend though. The crossover is just another NIC or even a vlan. You will need to put that one CAT5 from router to FW into a switch and hook both FWs to it. The one IP is a deal breaker though. you have to have at least 3 public ips to use this. That is usually easy to remedy by calling the ISP and getting a block of 6 for a bit more money a month. For now you will just have to have a manual standby, as in, you load up pfsense and load you current config on it. then turn it off. you will only turn it on in case of a problem.



  • Ah ok.. i actually do have another block of public IP's, that i have been trying to work out how to use also..  what i meant to say was that my WAN ip from my provider, i only get 1 IP .. but i do have another block.  As per another thread of mine, i have been trying to understand and work out how to use those so i can have some of those IP's for my servers to have public ip's. and a couple of clients that need static IP's



  • Well, I would reassign my WAP ip with one from the bigger block and proxyarp the smaller. I would ask the ISP to route that one IP to your new WAN ip. Unfortunately you cannot carp that one IP address as CARP has to be within the subnet of the WAN physical IP. I would do that as a transition to the new IP block. Eventually removing the 1 ip in favor of the larger block. specially since it will give you more options not only with the firewall, but with servers behind it.



  • Ok.. so you are saying get the ISP to forward my current WAN ip.. to the first IP in my other block of IP's and then use that as the WAN IP.. and the others in that bloc for my ackup firewall, servers and stuff?

    I am not sure if they can do that…  As far as i know, my public IP is some kinda subnet that only has 2 IP's.. one is my WAN, the other is the ISP (189.XXX.XXX.009 and 189.XXX.XXX.010), where as my block of IP's is a /28 subnet, so iget 16 IP's (13 usable)

    If i am understanding.. i already have that block forwarded to my current WAN IP.. so how would they then work if they forwarded current WAN ip to one of the block?

    I'm asking in detail here, cause.. i had a big headache just trying to explain to the ISP how to do this originally so i could get that block forwaded to my current WAN ip...  And also doing this is my second language was also dificult enough :) Below is my current setup more or less:

    ISP:      189.XXX.XXX.009
    WAN:    189.XXX.XXX.010

    IP block forwarded to 189.XXX.XXX.010  - 201.XXX.XXX.176/28

    pfSense wan ip:  189.XXX.XXX.010
    LAN Interface ip: 192.168.10.0/24
    OPT1 interface ip: 192.168.5.0/24

    My servers (and the pfSense VM i am wanting to use to sinc current pfSense box) are on the opt1 interface.. so i would love that they have public ip's from the IP block.. and then i would be able to do this CARP thing i am assuming..



  • Basically they would just reverse it and you would setup a proxy arp for it. Once you have all your services moved to the new block, you can continue to use them on the master node (as they could not exist on the backup node). If you loose the master node, you loose access to them until either the master becomes available or you set them up manually on the backup node. The ips work like Microsoft cluster or RHEL cluster, you have an IP assigned to each WAN and you will have CARP setup for the rest. So basically you will waste 2 IPs on clustering. The same goes for the default gateway on the LAN side. but that is cover in the how to. are these 2 different ISPs?



  • No.. same ISP.. just a weird setup that i still dont understand.. all i know is that i had some adsl link with them, and my block of IP's was my WAN ip.. then they changed us to a fiber optic link and the IP changed to this other IP and my block is still ours, but not in use now..  Before i was told that this IP that is now my WAN, was just a VPN between us and them.. now its my WAN ip.. confused ad f**k here!! :)

    So what you were just saying, i can't actually have a complete mirror of my pfsense box? sounded like you were just saying that i cant have the packages synced?  Captive Portal and Squid is all i use basically, but both i need working on the backup firewall also..



  • I will bring up my test cluster tomorrow at work (as I need to upgrade them to 2.0 - Release) but I will see if once you install squid if you can sync it. If you cannot, then you can just install the squid package and copy the setup. Once you switch over, you will start caching. Captive portal can be synced between the 2 in a cluster. I understand the setup as I had it at our DC for brief time. Since I also wanted cluster I forced them to drop the smaller IP block and converted DNS and all other service over. This was our choice, but during the transition, I forced them to reverse the route and I used proxy arp on the old IPs and clustered the bigger block.

    But yes, if you only have one IP that you can CARP, you cannot cluster. It just seems that you can setup your WAN with one of the bigger block and proxy arp the single IP. The proxy arp is the only think that will not sync to the backup.

    I would defiantly get strait with your ISP.



  • How did you go with the test?

    The other part i will have to look into, i dont understand what is proxyarp so i will have to start first with trying to get my block of IP's working on my WAN.. i guess



  • You cannot sync squid settings or cache between the 2. You can setup squid on both. You will just need to configure them on both sides. The service will always be running on the backup node, it just won't have the cache until it starts being used.

    Yes, I would start there as well then worry about the extra 1 IP you have. If you can get your services moved over or DNS changed out, then there will eventually be no need for the your singe IP address.


Log in to reply