pfSense High Availability Setup Guide

Welcome to Artiste1.com Guide on setting up High Availability (HA) with pfSense.
The process of configuring a pfSense HA cluster to ensure maximum uptime for your network.

1. Introduction to pfSense High Availability

High Availability in pfSense uses the Common Address Redundancy Protocol (CARP) to create a cluster of two or more firewalls. This setup provides redundancy and failover capabilities, ensuring that your network remains operational even if one firewall fails.

1.1 Components of pfSense HA

CARP (Common Address Redundancy Protocol): Allows multiple hosts on the same network segment to share an IP address.
pfsync: Synchronizes the firewall states between the HA nodes.
XML-RPC Config Sync: Keeps the configuration files synchronized between the nodes.

2. Prerequisites

Two or more pfSense systems with identical hardware
At least three network interfaces on each system (WAN, LAN, Sync)
A switch that supports LACP (Link Aggregation Control Protocol) for the Sync interface
Stable network connectivity between the pfSense nodes

3. Network Topology

Here's a basic network topology for a pfSense HA setup:

         +------------+
         |            |
         |  Internet  |
         |            |
         +-----+------+
               |
         +-----+------+
         |            |
    +----+ HA Cluster +----+
    |    |            |    |
    |    +------------+    |
    |                      |
+---+---+              +---+---+
|       |              |       |
| pf1   |              | pf2   |
|       |              |       |
+---+---+              +---+---+
    |                      |
    |    +------------+    |
    |    |            |    |
    +----+    LAN     +----+
         |            |
         +------------+

4. Initial Configuration

4.1 Configure the Primary Node

Install pfSense on both systems
Configure the WAN and LAN interfaces on the primary node
Set up the Sync interface:
- Go to Interfaces > Assignments
- Add a new interface for Sync (e.g., OPT1)
- Set a static IP (e.g., 172.16.1.1/24) for the Sync interface

4.2 Configure the Secondary Node

Configure the WAN and LAN interfaces with the same subnet as the primary node
Set up the Sync interface with a different IP in the same subnet (e.g., 172.16.1.2/24)

5. Setting up CARP

5.1 Enable CARP

On both nodes, go to System > High Avail. Sync
Check "Synchronize States"
Set the Synchronize Interface to your Sync interface
Set a strong password for synchronization

5.2 Configure CARP Virtual IPs

On the primary node, go to Firewall > Virtual IPs
Add a new Virtual IP:
- Type: CARP
- Interface: WAN
- Address: Your public IP
- Virtual IP Password: Set a strong password
- VHID Group: 1 (for WAN)
- Advertising Frequency: 1
Repeat for LAN interface with a different VHID (e.g., 2)

5.3 Configure pfsync

On both nodes, go to System > High Avail. Sync
Enable pfsync synchronization
Set pfsync Synchronize Peer IP to the other node's Sync IP

6. Configuration Synchronization

6.1 Set up XML-RPC Config Sync

On the primary node, go to System > High Avail. Sync
Check "Synchronize Config to IP"
Enter the secondary node's Sync IP
Set the Remote System Username and Password

6.2 Synchronize for the First Time

On the primary node, go to Diagnostics > Backup & Restore
Click "Download configuration as XML"
On the secondary node, restore this configuration

7. Testing and Verification

7.1 Verify CARP Status

On both nodes, go to Status > CARP (failover)
Ensure CARP status is MASTER on the primary and BACKUP on the secondary

7.2 Test Failover

Disconnect the primary node's WAN interface
Verify that the secondary node becomes MASTER
Reconnect the primary node and ensure it becomes MASTER again

8. Advanced Configuration

8.1 Load Balancing

You can set up load balancing by configuring multiple CARP groups with different priorities:

Node 1: WAN VHID 1 (prio 254), LAN VHID 2 (prio 254), OPT1 VHID 3 (prio 100)
Node 2: WAN VHID 1 (prio 100), LAN VHID 2 (prio 100), OPT1 VHID 3 (prio 254)

8.2 Monitoring and Alerts

Set up monitoring and alerts to be notified of failover events:

Go to Status > Notifications
Configure email or other notification methods
Enable notifications for CARP status changes

9. Troubleshooting

Issue	Possible Solution
CARP not syncing	Check firewall rules, ensure CARP traffic is allowed
Config not syncing	Verify XML-RPC settings, check credentials
Frequent failovers	Check network stability, adjust advertising frequency

Conclusion

Congratulations! You've now set up a High Availability cluster with pfSense.
This setup provides redundancy and ensures minimal downtime for your network.
Remember to regularly test your failover setup and keep your pfSense installations updated.

Note: High Availability setups can be complex. Always test thoroughly in a non-production environment before implementing in a live network.

For more advanced pfSense topics, check out our other guides: