Training Lab 10: High Availability
Netgate pfSense Plus Fundamentals — Lab 10: High Availability
Overview
In this lab, we add high availability at HQ by configuring a secondary firewall (fw2-HQ) to operate as the backup in an active/passive HA pair.
Configuring fw2-HQ
From your machine or HQ-client, log into fw2-HQ at https://172.17.1.3.
Interface Assignment
On fw2-HQ, browse to Interfaces > Assign and verify that your 5 interfaces are assigned correctly.
Interface Configuration
WAN
| Setting | Value |
|---|---|
| Description | WAN |
| IPv4 Configuration Type | Static IPv4 |
| IPv4 Address | 192.0.2.3/24 |
| Gateway | GW_WAN — 192.0.2.1 (default gateway) |
Then Save and Apply Changes.
DMZ
| Setting | Value |
|---|---|
| Description | DMZ |
| IPv4 Configuration Type | Static IPv4 |
| IPv4 Address | 172.17.2.3/24 |
Save and Apply Changes.
WAN2
| Setting | Value |
|---|---|
| Description | WAN2 |
| IPv4 Configuration Type | Static IPv4 |
| IPv4 Address | 198.51.100.3/24 |
| Gateway | GW_WAN2 — 198.51.100.1 (not default gateway) |
Save and Apply Changes.
SYNC
| Setting | Value |
|---|---|
| Description | SYNC |
| IPv4 Configuration Type | Static IPv4 |
| IPv4 Address | 172.17.3.3/24 |
Save and Apply Changes.
HA Sync Configuration (fw2-HQ)
Browse to System > High Avail Sync. Only the top portion is configured on the secondary, enabling it to send and receive state synchronization traffic.
- Check Synchronize States
- Choose Synchronize Interface = SYNC
- pfsync Synchronize Peer IP: 172.17.3.2
Then click Save at the very bottom of the page.
Increase FW2 GUI Processes
Navigate to System > Advanced and change Max Processes from the default 2 to 5, to account for the extra work of sync and configuration.
Firewall Rule Configuration (fw2-HQ)
Browse to Firewall > Rules, SYNC tab, and click Add to allow the initial config sync:
| Setting | Value |
|---|---|
| Action | Pass |
| Interface | SYNC |
| Protocol | any |
| Source | any |
| Destination | any |
Then Save and Apply Changes.
fw2-HQ is now ready.
Configuring fw1-HQ
Switch over to fw1-HQ to continue the configuration.
Assign and Configure Sync Interface
Browse to Interfaces > Assign and verify the SYNC interface is assigned.
Browse to Interfaces > OPT3 and configure:
| Setting | Value |
|---|---|
| Enable | checked |
| Description | SYNC |
| IPv4 Configuration Type | Static IPv4 |
| IPv4 Address | 172.17.3.2/24 |
Save and Apply Changes.
Add Sync Firewall Rules (fw1-HQ)
Browse to Firewall > Rules, Sync tab. Add:
| Setting | Value |
|---|---|
| Action | Pass |
| Interface | Sync |
| Protocol | any |
| Source | any |
| Destination | any |
| Description | allow sync |
Save and apply changes.
Change Interface IPs (fw1-HQ)
The gateway IPs on the internal interfaces need to be CARP IPs so they fail over. Change the LAN and DMZ interface IPs:
- LAN: change from 172.17.1.1 to 172.17.1.2
- DMZ: change from 172.17.2.1 to 172.17.2.2
The .1 IPs will be added back as CARP IPs in the next step. Save and apply changes after each interface.
Add CARP VIPs (fw1-HQ)
Browse to Firewall > Virtual IPs, and click +Add.
LAN CARP VIP
| Setting | Value |
|---|---|
| Type | CARP |
| Interface | LAN |
| IP Address | 172.17.1.1/24 |
| Virtual IP Password | random characters (syncs automatically) |
Leave the remainder at defaults. Save and Apply Changes.
DMZ CARP VIP
| Setting | Value |
|---|---|
| Type | CARP |
| Interface | DMZ |
| IP Address | 172.17.2.1/24 |
| Virtual IP Password | random string |
Note the VHID group increments to 2. Save and apply changes.
Edit Existing WAN VIPs (fw1-HQ)
WAN .4 VIP
Edit 192.0.2.4: change type from IP Alias to CARP, subnet mask /24, VHID Group 3, random Virtual IP Password. Save.
WAN .5 and .6 VIPs
Edit 192.0.2.5 and 192.0.2.6: keep as IP Alias but change parent interface to the WAN CARP IP (192.0.2.4). Save and apply changes.
WAN2 CARP VIPs
Change 198.51.100.4 to CARP, and change the interface of 198.51.100.5 and .6 to 198.51.100.4.
Configure HA Sync (fw1-HQ)
Browse to System > High Avail. Sync:
| Setting | Value |
|---|---|
| Synchronize States | checked |
| Synchronize Interface | SYNC |
| pfsync Synchronize Peer IP | 172.17.3.3 |
| Synchronize Config to IP | 172.17.3.3 |
| Remote System Username | admin |
| Remote System Password | pfsense |
Click toggle all to check all synchronize configuration boxes, then click Save.
Configuration and state synchronization are now fully enabled. Do not make config changes directly on the secondary from here out, as they’ll be overwritten by the primary.
Configure Outbound NAT
Browse to Firewall > NAT, Outbound tab. Edit rules so traffic is NATed to IPs that fail over:
- Edit "HQ 172.17./16 out via WAN IP" — change Translation to 192.0.2.6
- Edit "HQ 172.17./16 out via WAN2 IP" — change Translation to 198.51.100.6
Configure LAN DHCP
Browse to Services > DHCP Server, LAN tab:
- Set default gateway to the LAN CARP VIP 172.17.1.1
- Set Failover Peer IP to fw2-HQ LAN IP 172.17.1.3
- Save
Check Status
Browse to Status > CARP on both fw1-HQ and fw2-HQ. All CARP IPs should show:
- master status on fw1-HQ
- backup status on fw2-HQ
Testing Failover
Force Failover by Disabling CARP on Primary
On fw1-HQ, browse to Status > CARP and click Temporarily Disable CARP. After reload, all CARP IPs change to "disabled." Check fw2-HQ — they should all show master status.
Force Failover by Simulating Power Removal
Navigate to Diagnostics > Halt System and click Reboot on the primary. Within a second after rebooting, fw2-HQ should show master status on all CARP IPs. After fw1-HQ reboots, it will regain master status automatically.
Previous Module: Training: High Availability — HA Overview and Concepts
Source Attribution
- Netgate pfSense Plus Fundamentals and Practical Application
- © 2021 Rubicon Communications, LLC (Netgate)
- Source PDF: FUND001-LIVE-Lab10-HA.pdf
- Reference fw2-HQ IPs: WAN 192.0.2.3, LAN 172.17.1.3, DMZ 172.17.2.3