https://mediawiki.comfac.net/index.php?action=history&feed=atom&title=Training%3A_High_Availability
Training: High Availability - Revision history
2026-06-05T11:00:49Z
Revision history for this page on the wiki
MediaWiki 1.45.1
https://mediawiki.comfac.net/index.php?title=Training:_High_Availability&diff=235&oldid=prev
Justinaquino: Created from Netgate pfSense training PDF
2026-04-23T07:07:10Z
<p>Created from Netgate pfSense training PDF</p>
<p><b>New page</b></p><div>__NOTOC__<br />
<div style="background:#003366; color:#ffffff; padding:10px; border-radius:5px; margin-bottom:15px;"><br />
'''Netgate pfSense Plus Fundamentals — Section 10: High Availability'''<br />
</div><br />
<br />
== Overview ==<br />
<br />
High Availability (HA) in pfSense uses an '''active/passive pair''' of firewalls to provide hardware redundancy. This architecture offers:<br />
<br />
* Increased redundancy options<br />
* Less painful upgrades<br />
* Seamless failover capabilities<br />
<br />
HA relies on '''three separate functions''' working together:<br />
<br />
{| class="wikitable"<br />
! Function !! Purpose<br />
|-<br />
| '''CARP''' || Provides redundant IP addresses (Virtual IPs) shared between HA members<br />
|-<br />
| '''pfSync''' || Synchronizes the state table between HA members for seamless failover<br />
|-<br />
| '''XMLRPC''' || Synchronizes configuration from the primary to secondary firewalls<br />
|}<br />
<br />
== CARP (Common Address Redundancy Protocol) ==<br />
<br />
* Uses multicast for announcements<br />
* Every CARP VIP has a unique '''VHID''' (Virtual Host ID)<br />
* CARP VIP is shared between VHID members<br />
* VHID groups are password protected<br />
* At least '''3 public IPs required''' per WAN<br />
* WAN needs at least a '''/29''' subnet<br />
<br />
== pfSync ==<br />
<br />
* Syncs state table between the two HA members<br />
* Enables seamless failover during an outage<br />
* Can use multicast or unicast for updates<br />
* No authentication for updates<br />
* '''Likes a dedicated interface''' (recommended)<br />
<br />
== XMLRPC (Configuration Sync) ==<br />
<br />
* Syncs configuration between HA members<br />
* Syncs from primary to secondaries<br />
* Only need to configure one firewall<br />
* May not sync everything — '''packages are responsible for their own config sync'''<br />
<br />
== CARP Configuration Requirements ==<br />
<br />
* At least one CARP VIP on WAN<br />
* At least one CARP VIP on LAN<br />
* Manual Outbound NAT to CARP VIP<br />
* DHCP adjustments needed (use CARP VIP as default gateway)<br />
<br />
== Typical Topology ==<br />
<br />
=== Single WAN ===<br />
<pre><br />
ISP1<br />
|<br />
[ HA Pair ] — LAN<br />
</pre><br />
<br />
=== Multi-WAN ===<br />
<pre><br />
ISP1 ISP2<br />
| |<br />
[ HA Pair ] — LAN<br />
</pre><br />
<br />
== Common Failures ==<br />
<br />
* '''Dual master''' on CARP VIPs<br />
* Loss of active connections on failover<br />
* Loss of connectivity on failover<br />
<br />
== Section 10 Summary ==<br />
<br />
* Active/Passive pair<br />
* Will need at least '''/29''' of network space per WAN<br />
* Use a '''unique VHID''' for every CARP VIP<br />
* Use a '''separate private interface''' for pfSync data<br />
* Packages are responsible for their own config sync<br />
* Outbound NAT to CARP VIP<br />
* DHCP adjusted for CARP VIP as default gateway<br />
<br />
<div style="background:#e6f2ff; padding:10px; border-left:4px solid #003366; margin-top:15px;"><br />
'''Next Module:''' [[Training Lab 10: High Availability|Training Lab 10: High Availability — Hands-on Configuration and Failover Testing]]<br />
</div><br />
<br />
== Source Attribution ==<br />
<br />
* ''Netgate pfSense Plus Fundamentals and Practical Application''<br />
* © 2017–2021 Rubicon Communications, LLC (Netgate)<br />
* Source PDF: FUND001-LIVE-SLIDE-SEG10-HA.pdf</div>
Justinaquino