Justinaquino: Created from Netgate pfSense training PDF

2026-04-23T07:07:10Z

Created from Netgate pfSense training PDF

New page

__NOTOC__
<div style="background:#003366; color:#ffffff; padding:10px; border-radius:5px; margin-bottom:15px;">
'''Netgate pfSense Plus Fundamentals — Lab 10: High Availability'''
</div>

== Overview ==

In this lab, we add high availability at HQ by configuring a secondary firewall ('''fw2-HQ''') to operate as the backup in an active/passive HA pair.

== Configuring fw2-HQ ==

From your machine or HQ-client, log into fw2-HQ at '''https://172.17.1.3'''.

=== Interface Assignment ===

On fw2-HQ, browse to '''Interfaces > Assign''' and verify that your 5 interfaces are assigned correctly.

=== Interface Configuration ===

==== WAN ====

{| class="wikitable"
! Setting !! Value
|-
| Description || WAN
|-
| IPv4 Configuration Type || Static IPv4
|-
| IPv4 Address || 192.0.2.3/24
|-
| Gateway || GW_WAN — 192.0.2.1 (default gateway)
|}

Then Save and Apply Changes.

==== DMZ ====

{| class="wikitable"
! Setting !! Value
|-
| Description || DMZ
|-
| IPv4 Configuration Type || Static IPv4
|-
| IPv4 Address || 172.17.2.3/24
|}

Save and Apply Changes.

==== WAN2 ====

{| class="wikitable"
! Setting !! Value
|-
| Description || WAN2
|-
| IPv4 Configuration Type || Static IPv4
|-
| IPv4 Address || 198.51.100.3/24
|-
| Gateway || GW_WAN2 — 198.51.100.1 (not default gateway)
|}

Save and Apply Changes.

==== SYNC ====

{| class="wikitable"
! Setting !! Value
|-
| Description || SYNC
|-
| IPv4 Configuration Type || Static IPv4
|-
| IPv4 Address || 172.17.3.3/24
|}

Save and Apply Changes.

=== HA Sync Configuration (fw2-HQ) ===

Browse to '''System > High Avail Sync'''. Only the top portion is configured on the secondary, enabling it to send and receive state synchronization traffic.

* Check '''Synchronize States'''
* Choose '''Synchronize Interface''' = SYNC
* '''pfsync Synchronize Peer IP''': 172.17.3.2

Then click Save at the very bottom of the page.

=== Increase FW2 GUI Processes ===

Navigate to '''System > Advanced''' and change '''Max Processes''' from the default 2 to '''5''', to account for the extra work of sync and configuration.

=== Firewall Rule Configuration (fw2-HQ) ===

Browse to '''Firewall > Rules''', SYNC tab, and click Add to allow the initial config sync:

{| class="wikitable"
! Setting !! Value
|-
| Action || Pass
|-
| Interface || SYNC
|-
| Protocol || any
|-
| Source || any
|-
| Destination || any
|}

Then Save and Apply Changes.

fw2-HQ is now ready.

== Configuring fw1-HQ ==

Switch over to fw1-HQ to continue the configuration.

=== Assign and Configure Sync Interface ===

Browse to '''Interfaces > Assign''' and verify the SYNC interface is assigned.

Browse to '''Interfaces > OPT3''' and configure:

{| class="wikitable"
! Setting !! Value
|-
| Enable || checked
|-
| Description || SYNC
|-
| IPv4 Configuration Type || Static IPv4
|-
| IPv4 Address || 172.17.3.2/24
|}

Save and Apply Changes.

=== Add Sync Firewall Rules (fw1-HQ) ===

Browse to '''Firewall > Rules''', Sync tab. Add:

{| class="wikitable"
! Setting !! Value
|-
| Action || Pass
|-
| Interface || Sync
|-
| Protocol || any
|-
| Source || any
|-
| Destination || any
|-
| Description || allow sync
|}

Save and apply changes.

=== Change Interface IPs (fw1-HQ) ===

The gateway IPs on the internal interfaces need to be CARP IPs so they fail over. Change the LAN and DMZ interface IPs:

* '''LAN''': change from 172.17.1.1 to '''172.17.1.2'''
* '''DMZ''': change from 172.17.2.1 to '''172.17.2.2'''

The .1 IPs will be added back as CARP IPs in the next step. Save and apply changes after each interface.

=== Add CARP VIPs (fw1-HQ) ===

Browse to '''Firewall > Virtual IPs''', and click '''+Add'''.

==== LAN CARP VIP ====

{| class="wikitable"
! Setting !! Value
|-
| Type || CARP
|-
| Interface || LAN
|-
| IP Address || 172.17.1.1/24
|-
| Virtual IP Password || random characters (syncs automatically)
|}

Leave the remainder at defaults. Save and Apply Changes.

==== DMZ CARP VIP ====

{| class="wikitable"
! Setting !! Value
|-
| Type || CARP
|-
| Interface || DMZ
|-
| IP Address || 172.17.2.1/24
|-
| Virtual IP Password || random string
|}

Note the VHID group increments to 2. Save and apply changes.

=== Edit Existing WAN VIPs (fw1-HQ) ===

==== WAN .4 VIP ====

Edit 192.0.2.4: change type from IP Alias to CARP, subnet mask /24, VHID Group 3, random Virtual IP Password. Save.

==== WAN .5 and .6 VIPs ====

Edit 192.0.2.5 and 192.0.2.6: keep as IP Alias but change parent interface to the WAN CARP IP (192.0.2.4). Save and apply changes.

==== WAN2 CARP VIPs ====

Change 198.51.100.4 to CARP, and change the interface of 198.51.100.5 and .6 to 198.51.100.4.

=== Configure HA Sync (fw1-HQ) ===

Browse to '''System > High Avail. Sync''':

{| class="wikitable"
! Setting !! Value
|-
| Synchronize States || checked
|-
| Synchronize Interface || SYNC
|-
| pfsync Synchronize Peer IP || 172.17.3.3
|-
| Synchronize Config to IP || 172.17.3.3
|-
| Remote System Username || admin
|-
| Remote System Password || pfsense
|}

Click '''toggle all''' to check all synchronize configuration boxes, then click Save.

Configuration and state synchronization are now fully enabled. Do not make config changes directly on the secondary from here out, as they’ll be overwritten by the primary.

=== Configure Outbound NAT ===

Browse to '''Firewall > NAT''', Outbound tab. Edit rules so traffic is NATed to IPs that fail over:

* Edit "HQ 172.17./16 out via WAN IP" — change Translation to '''192.0.2.6'''
* Edit "HQ 172.17./16 out via WAN2 IP" — change Translation to '''198.51.100.6'''

=== Configure LAN DHCP ===

Browse to '''Services > DHCP Server''', LAN tab:

* Set default gateway to the LAN CARP VIP '''172.17.1.1'''
* Set '''Failover Peer IP''' to fw2-HQ LAN IP '''172.17.1.3'''
* Save

== Check Status ==

Browse to '''Status > CARP''' on both fw1-HQ and fw2-HQ. All CARP IPs should show:
* '''master''' status on fw1-HQ
* '''backup''' status on fw2-HQ

== Testing Failover ==

=== Force Failover by Disabling CARP on Primary ===

On fw1-HQ, browse to '''Status > CARP''' and click '''Temporarily Disable CARP'''. After reload, all CARP IPs change to "disabled." Check fw2-HQ — they should all show master status.

=== Force Failover by Simulating Power Removal ===

Navigate to '''Diagnostics > Halt System''' and click '''Reboot''' on the primary. Within a second after rebooting, fw2-HQ should show master status on all CARP IPs. After fw1-HQ reboots, it will regain master status automatically.

<div style="background:#e6f2ff; padding:10px; border-left:4px solid #003366; margin-top:15px;">
'''Previous Module:''' [[Training: High Availability|Training: High Availability — HA Overview and Concepts]]
</div>

== Source Attribution ==

* ''Netgate pfSense Plus Fundamentals and Practical Application''
* © 2021 Rubicon Communications, LLC (Netgate)
* Source PDF: FUND001-LIVE-Lab10-HA.pdf
* Reference fw2-HQ IPs: WAN 192.0.2.3, LAN 172.17.1.3, DMZ 172.17.2.3

Training Lab 10: High Availability - Revision history

Justinaquino: Created from Netgate pfSense training PDF