Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Migrate from standalone to failover

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    3 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GBDickinson
      last edited by

      Hi everyone,

      First off, thanks for the immense help everyone here has been.  It's helped me out of many the sticky situation :)

      Right now, I have a standalone firewall at a boarding school with multiple interfaces (one LAN, one "student" subnet, and one for the VOIP subnet, along with the WAN).  We are trying to add some redundancy since they're doing construction work at the school and have a tendency to cut power to the main building at the most unexpected times :)

      I realize that the IPs that are currently bound to the production firewall will become virtual IPs, and I'll have to pick a "real" IP for the current firewall, but I was really wondering about the other interfaces.  I'm assuming that so long as they are named the same, that I can fail over their IP addresses as well?  Do I need to assign "real" IPs to the other interfaces on the secondary firewall as well?

      Basically, I'm looking for pointers on moving from a single firewall to a redundant pair :)  Any help would be appreciated.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Each box needs an unique IP in each subnet. Usually you will have just one subnet assigned to an interface. These unique IPs are necessary for CARP in pfSense 2.1.x and cannot be used for other purposes.
        So if your LAN IP is now 192.168.1.1/24 this will get the LAN CARP VIP, because your clients use it as default gateway, so it has to be available at both boxes.
        To your masters LAN interface you have assign e.g. 192.168.1.2/24, to backups LAN 192.168.1.3/24 or any other IP in this subnet.
        Same for the other interfaces or rather subnets.

        It is recommended to have a separate interface for sync. See the doc for details:
        https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29

        You have to configure the unique IPs on both boxes at first. Configure the synchronization in System > High Availability and rules to allow sync traffic on both firewalls.
        Then you go to the master and assign the VIPs to the particular interfaces in Firewall > Virtual IPs. If the sync is configured correctly the VIPs will be synced to the backup box.

        1 Reply Last reply Reply Quote 0
        • G
          GBDickinson
          last edited by

          Awesome, that's exactly what I was expecting.  Just didn't want to burn a public IP address if I didn't have to.  Thanks for the help.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.