How to up pfSense High Available Dual Firewalls

I’ve been using pfSense for years now and just realized I hadn’t set up a highly available cluster of two firewalls.  I’ve been running Dell R210 servers as our firewalls with 8GB RAM and 128GB SSD.  They work excellent, low power usage, however, they only have a single power supply, unlike R610 models that can have dual power.  So I thought how about we set up two R210 servers with failover in case there is an issue with power, or we need to do maintenance on a firewall there will always be one available.

These are the steps what I went through in setting up the firewall and routing changes that I made.

Setting up a pfSense initial install

I installed two pfSense firewalls and set their IP address.  I’m going to assume you know how to install pfSense so we’ll start by having two firewalls ready to go.

I have an external network of 192.168.107.0/24 and internal network of 10.10.0.0/24. So let’s assign these IPs to each of the firewalls.

Firewall 1
Name = laxfw1.example.com
WAN = 192.168.107.2
WAN Gateway = 192.168.107.1
LAN = 10.10.0.2

Firewall 2
Name = laxfw2.example.com
WAN = 192.168.107.3
WAN Gateway = 192.168.107.1
LAN = 10.10.0.3

These servers only have two ethernet ports, so we’re going to share 10.10.0.0/24 network with failover.  If you have additional Ethernet ports, it’s good to separate out the firewall traffic if possible.

Configuring pfSense High Availability Sync

On each firewall go into System > Advanced

And make sure webConfigurator on both is set to the same http or https setting.  When setting up my HA the first time I somehow had one firewall set to http and the other to https which caused sync errors.  So note they must have the same setting.

Next, go to System > High Availablity Sync

Check the Synchronize States

Set Synchronization Interface to LAN

If you have a dedicated interface available for pfsync, then you change this setting to the dedicated interface that you have chosen.

Set pfsync Synchronize Peer IP to 10.10.0.3

Do the same for state synchronization on the secondary firewall, but setting the other firewalls IP 10.10.0.2 as it’s peer.

Next only set XMLRPC Sync settings on the first firewall.

Set Synchronize Config to IP to 10.10.0.3

Set Remote System Username and Password to sync settings.

Select options to sync, in my case I checked all items.

Now everything should sync from firewall one to two as we make changes.

Setting CARP Addresses

Now you’ve got the firewalls in sync; we need to set up an IP address that is used externally and internally as the gateway.  This IP will fail over between firewalls if anything happens.

Go to Firewall > Virtual IPs

Now set up an IP on the LAN that servers behind the firewall will use as their gateway address.

Type = CARP
Interface = LAN
Address = 10.10.0.1
Virtual IP Password = (set something here)
VHID = (it should auto increment this number)
Advertising frequency = 1

You probably don’t need to set the WAN address if you’re just using NAT, however we have our firewalls if it’s single with a /30 on the external interface, or if it’s a pair /29 on the WAN interface, and we then route the customers additional public range of /28 to the firewalls WAN IP.  So, we need to have that WAN IP setup for failover, we also set a CARP IP on the WAN.

Type = CARP
Interface = WAN
Address = 192.168.107.4
Virtual IP Password = (set something here)
VHID = (it should auto increment this number)
Advertising frequency = 1

So as opposed to routing our additional /28 for the customer to the firewall interface, we route it the CARP IP in our access switch configuration.

You should be able to verify on the second firewall that these settings transferred over automatically.  If not you’ll need to double check your previous settings.

Once that is done, you can go through all your settings for NAT, firewall rules, and they will automatically sync to the second firewall whenever you apply settings.

We also use HA Proxy for load balancing, there’s a separate setting in HA Proxy you need to check HA Proxy Sync if you want those settings to copy over.

That should do it for you.