i VIP – pfSense – All things in moderation

VIP – pfSense

For configuration we need at least 2 pfSense virtual machines with 3 network cards per machine.
Add network card: Firewall -> Virtual IPs

Build Cluster
First you need to configure a firewall rule on both machines to allow the firewalls to communicate with each other on SYNC.
Click “Firewall | Rules”, choose SYNC ** in tag **Interface. Click button Plus to add a new firewall rule entry. Configure “Protocol” is “any“, add a description to be able to define rules. Click Save, then click Apply Changes if necessary.

Still on the firewall backup, here we need to configure the CARP synchronization and configure it to be just a copy. Click on “Firewall | Virtual IPs”> “Firewall | Virtual IPs”, tick the “Synchronize Enabled” box. Select “Synchronize Interface to SYNC“, then save this change.

Carry out the CARP synchronization configuration on the primary firewall.
Log in your primary firewall, click on “Firewall | Virtual Ips“, switch to the “CARP Settings” tab and check the “Synchronize Enabled” box. In the Synchronize Interface **select “SYNC” as the default, check the boxes under “Synchronize Rules“, “Synchronize NAT“, “Synchronize Virtual IPs“.
Then enter the **IP SYNC
address of the replica firewall in the “Synchronize to IP” box and set the password in the “Remote System Password” box.
Click Save to save your changes.

Next we configure the Virtual IP address for both firewalls to use. To do this go to “Firewall | Virtual IPs” and switch to the “Virtual Ips” tab.
First is to set the IP address of the Interface’s WAN, click Plus button to add the new virtual IP, make sure the IP type is set to CARP. This WAN address will be used throughout your system regardless of whether the primary firewall or backup firewall.

Next create a password in the “Virtual IP Password” box, keep the value 1 for “VHID Group” and the value 0 for “Advertising Frequency“, add a description in Description and click Save to save.

Likewise, we configure** Virtual IP address** for LAN in Interface. The steps do not differ from the above for the WAN, except for the “VHID Group” you replace with the value of 3, place another description and click Save to save the changes.

Turn on synchronous
Over all machines:
Tag** System > High Avail. Sync**

With IP the machine’s ip will be synchronized. The model above will be if you are configuring the machine
Complete and save. (Save)

Enable Configuration Synchronization (XMLRPC Sync)

Set password admin
Choose HTTPs:
check enable webConfigurator login autocomplete

Set password admin:
Click user

On Primary Firewall, we will configure Synchronization

IP is the ip of the backup firewall.

username: admin
password: you config

Select the option to synchronize.
Once completed, all modifications on Primary will sync to the backup.

Leave a Reply