PfSense pfSync version

  • Hi,

    does pfSense already include the version of pfsync which can be used for active/active clusters?

    I assume alot more work is required than just adding a newer version of pfSync, but what would be needed to give pfSense the ability to have multiple concurrent instances?


  • It's more CARP, not pfsync. Our base OS doesn't have that functionality. It's not exactly all it's cracked up to be really, which is true of all active/active firewalls, commercial and open source. For instance on Cisco ASA's there are massive restrictions, like you cannot use any VPNs with active/active for one. We'd likely also have to enforce similar restrictions in a number of areas including VPNs. The restrictions rule out things more than 99% of the HA installs I've worked on (likely upwards of a thousand in the last 8 years) require. Hence, it's not really all that attractive. We may implement it at some point, but it'll almost certainly come with restrictions like no VPN usage. It also may not actually increase performance, by the nature of how it works and where bottlenecks exist that define the maximum throughput on a given combination of hardware. It's something that would have to be tested.