• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Migrate from standalone to failover

Scheduled Pinned Locked Moved HA/CARP/VIPs
3 Posts 2 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    GBDickinson
    last edited by Oct 26, 2014, 6:11 AM

    Hi everyone,

    First off, thanks for the immense help everyone here has been.  It's helped me out of many the sticky situation :)

    Right now, I have a standalone firewall at a boarding school with multiple interfaces (one LAN, one "student" subnet, and one for the VOIP subnet, along with the WAN).  We are trying to add some redundancy since they're doing construction work at the school and have a tendency to cut power to the main building at the most unexpected times :)

    I realize that the IPs that are currently bound to the production firewall will become virtual IPs, and I'll have to pick a "real" IP for the current firewall, but I was really wondering about the other interfaces.  I'm assuming that so long as they are named the same, that I can fail over their IP addresses as well?  Do I need to assign "real" IPs to the other interfaces on the secondary firewall as well?

    Basically, I'm looking for pointers on moving from a single firewall to a redundant pair :)  Any help would be appreciated.

    1 Reply Last reply Reply Quote 0
    • V
      viragomann
      last edited by Oct 30, 2014, 12:40 AM

      Each box needs an unique IP in each subnet. Usually you will have just one subnet assigned to an interface. These unique IPs are necessary for CARP in pfSense 2.1.x and cannot be used for other purposes.
      So if your LAN IP is now 192.168.1.1/24 this will get the LAN CARP VIP, because your clients use it as default gateway, so it has to be available at both boxes.
      To your masters LAN interface you have assign e.g. 192.168.1.2/24, to backups LAN 192.168.1.3/24 or any other IP in this subnet.
      Same for the other interfaces or rather subnets.

      It is recommended to have a separate interface for sync. See the doc for details:
      https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29

      You have to configure the unique IPs on both boxes at first. Configure the synchronization in System > High Availability and rules to allow sync traffic on both firewalls.
      Then you go to the master and assign the VIPs to the particular interfaces in Firewall > Virtual IPs. If the sync is configured correctly the VIPs will be synced to the backup box.

      1 Reply Last reply Reply Quote 0
      • G
        GBDickinson
        last edited by Nov 9, 2014, 8:50 PM

        Awesome, that's exactly what I was expecting.  Just didn't want to burn a public IP address if I didn't have to.  Thanks for the help.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received