Failover with 2 Pfsese boxex
-
Hi guys and sorry if this has been answered already. This is the first time I am using Pfsense.
Currently, I have set up 1 Pfsense VM with 1 public and 1 private network. I have several VMs connected over the private network and I am using the Pfsense VM as a router/firewall. I can connect to the VMs I want over the public IP which I am using as a gateway
What I want to do is create a second Pfsense VM which will act as a backup of the first Pfsense VM. So in case the first Pfsense VM is stopped, I want the second Pfsense VM to take over. How can I make the second Pfsense use the same gateway so if the first one fails, I can still connect over the same IP to those VMs? I can attach additional IPs, VLANs if needed. But I want to be able to connect to the servers using the same IP, no matter if the Pfsense 1 or the backup are in place. I am sure this is fairly easy, however, I am not that network savy and any help would be greatly appreciated.
-
This should get you started:
-
@KOM:
This should get you started:
Yes, thank you. However, I am not able to understand the virtual IPs that are being set. Is this an IP that I choose for myself, or is this the IP that is shared between the 2 nodes (the gateway for connecting to the VMs connected to the LAN)
-
Is this an IP that I choose for myself, or is this the IP that is shared between the 2 nodes (the gateway for connecting to the VMs connected to the LAN)
Yes and yes. It's an IP address that you choose yourself, but it is shared between the devices in a way with one device being the active master. One device assumes the cluster IP address and responds to requests. If that server dies, the backup will kick in and assume the cluster IP address so that connectivity is never dropped. It's just a simple two-node cluster. For example, if pfnode-1 LAN is at 10.0.0.2 and pfnode-2 LAN is at 10.0.0.3, you would pick an address in the same subnet (eg. 10.0.0.4) and that would be the address used for your client's TCP/IP gateway.
-
@KOM:
Is this an IP that I choose for myself, or is this the IP that is shared between the 2 nodes (the gateway for connecting to the VMs connected to the LAN)
Yes and yes. It's an IP address that you choose yourself, but it is shared between the devices in a way with one device being the active master. One device assumes the cluster IP address and responds to requests. If that server dies, the backup will kick in and assume the cluster IP address so that connectivity is never dropped. It's just a simple two-node cluster. For example, if pfnode-1 LAN is at 10.0.0.2 and pfnode-2 LAN is at 10.0.0.3, you would pick an address in the same subnet (eg. 10.0.0.4) and that would be the address used for your client's TCP/IP gateway.
Unfortunately, I am still not able to get this working most likely as I do not understand how those virtual IPs work. Let me give some details on what I am using:
2 WAN with public IPs:
162.213.36.66 on the first pfSense
162.213.36.101 on the second pfSense
2 VLANs - 1 for LAN and 1 for the SYNC interface
192.168.1.10 is the IP on the VLAN and 192.168.2.1 is the IP of the SYNC on the first pfSense
192.168.1.11 is the IP on the VLAN and 192.168.2.2 is the IP of the SYNC on the second pfSenseSo what should I set as virtual IPs for my WAN and LAN on the primary pfSense server? I believe the virtual IP for the LAN i have set actually works as it appears as master on the first box and backup on the second. I have used 192.168.2.16 as the IP and 24 mask (that is an IP from the range of the SYNC interface, not sure if correct)
I believe the sync is working, as whatever I do on the primary pfSense is copied over to the second one. However, I cannot get the failover to work. When I stop the first box, my connection on the connected VMs on the LAN interface stops and I need to release and renew the IP -
OK, first off I must say that, while I have set-up clusters before, I have not actually needed a pfSense failover cluster since I do things virtually. However, I may be able to help nonetheless.
Your Virtual IP for LAN should be an unused IP address in the 192.168.1.x range to match the LAN interface subnet. The SYNC interface is to maintain state consistency between the two nodes. You don't access it via the SYNC interface so you would not use that subnet for the Virtual IP.
-
I have made some progress, sync is working the carp on the VLAN VIP is working, however, the WAN VIP shows as master on both of my pfSense boxes. Any clue what might be causing this. I checked some posts regarding this and they say to manually set a rule to allow the carp traffic on the interface, but the VIP WAN does not have an interface. It is a VIP isn't it
BTW, I can ping both the WAN and LAN carp interfaces through both boxes
-
Sorry, you've hit the limit of my knowledge on this subject. Yes, I believe that the shared WAN IP is a Virtual IP.