Migrate from standalone to failover

  • Hi everyone,

    First off, thanks for the immense help everyone here has been.  It's helped me out of many the sticky situation :)

    Right now, I have a standalone firewall at a boarding school with multiple interfaces (one LAN, one "student" subnet, and one for the VOIP subnet, along with the WAN).  We are trying to add some redundancy since they're doing construction work at the school and have a tendency to cut power to the main building at the most unexpected times :)

    I realize that the IPs that are currently bound to the production firewall will become virtual IPs, and I'll have to pick a "real" IP for the current firewall, but I was really wondering about the other interfaces.  I'm assuming that so long as they are named the same, that I can fail over their IP addresses as well?  Do I need to assign "real" IPs to the other interfaces on the secondary firewall as well?

    Basically, I'm looking for pointers on moving from a single firewall to a redundant pair :)  Any help would be appreciated.

  • Each box needs an unique IP in each subnet. Usually you will have just one subnet assigned to an interface. These unique IPs are necessary for CARP in pfSense 2.1.x and cannot be used for other purposes.
    So if your LAN IP is now this will get the LAN CARP VIP, because your clients use it as default gateway, so it has to be available at both boxes.
    To your masters LAN interface you have assign e.g., to backups LAN or any other IP in this subnet.
    Same for the other interfaces or rather subnets.

    It is recommended to have a separate interface for sync. See the doc for details:

    You have to configure the unique IPs on both boxes at first. Configure the synchronization in System > High Availability and rules to allow sync traffic on both firewalls.
    Then you go to the master and assign the VIPs to the particular interfaces in Firewall > Virtual IPs. If the sync is configured correctly the VIPs will be synced to the backup box.

  • Awesome, that's exactly what I was expecting.  Just didn't want to burn a public IP address if I didn't have to.  Thanks for the help.

Log in to reply