In the past few articles, I have explained some of the typical load balancing and failover scenarios for which pfSense can be used. In this article, I will demonstrate how to set up a CARP redundant firewall using pfSense.
The Common Address Redundancy Protocol (CARP) is a protocol which allows multiple hosts on the same network to share a set of IP addresses. Its primary purpose is to provide failover redundancy, although it can also provide load balancing functionality. If there are two or more computers running CARP, if the primary server fails, then one of the other servers will take over, and pfsyncd will be used to synchronize packet filter states.
A group of hosts using CARP is called a “group of redundancy”; this group allocates itself an IP address which is shared or divided among the members of this group. Within this group, a host is designated as a “Master” and the other members are designated as slaves. The main host is the one that takes the IP address; this host answers any traffic or ARP request brought to the attention of this address. Each host has, in addition to the shared IP address, a second unique IP address is required. For example, if you want to have 2 cluster members, you will need 2 IP addresses for the real interfaces and then an IP for each virtual IP address. So in this case it would amount to 3.
One use of CARP is the creation of redundant firewalls. The virtual IP address allotted to the group of redundancy is indicated as the address of the default router on the computers behind the group of firewalls. If the main firewall breaks down or is disconnected from the network, the virtual IP address will be taken by one of the firewall slaves and the firewall will continue to be available. Setting up a redundant CARP firewall requires two separate an identical pfSense machines. We want each machine to have at least 3 interfaces: a WAN interface, LAN interface, and an interface dedicated to the syncing process (pfsync).
Firewall Failover with CARP, Step One: Interface Settings
First, we need to set up the WAN, LAN and SYNC interfaces on both machines. On the first system, designated as the primary system, the settings are as follows:
- WAN: 192.168.4.1
- LAN: 192.168.1.30
- SYNC: 192.168.5.1
For the backup system, the settings are as follows:
- WAN: 192.168.4.2
- LAN: 192.168.1.31
- SYNC: 192.168.5.2
Firewall Failover with CARP, Step Two: Adding Rules and Enabling CARP Synchronization
On both machines, we need to add a firewall rule to allow traffic on the SYNC interface. Navigate to Firewall -> Rules and click on the SYNC interface tab. Click the “plus” button to add a new firewall rule. At “Protocol“, set the protocol to “any“. At “Description“, add an appropriate description. Then press the “Save” button to save the changes and press the “Apply changes” button on the next page if necessary.
Next, we need to go to the backup pfSense machine and enable CARP synchronization. Navigate to Firewall -> Virtual IPs and click the “CARP Settings” tab. In the “State Synchronization Settings (pfsync)” section, check the “Synchronize States” check box. At “Synchronize Interface“, choose SYNC as the interface. Then press the “Save” button to save the changes.
Returning to the primary pfSense machine, we also need to enable CARP synchronization. Again we will navigate to Firewall -> Virtual IPs and click the “CARP Settings” tab. We will again click the “Synchronize States” check box and choose SYNC as the “Synchronize Interface“. In addition, we will check the following:
- Synchronize Rules
- Synchronize nat
- Synchronize Virtual IPs
At “Synchronize Config to IP“, enter the IP address of the backup pfSense system. Also set the “Remote System Password” to the password of the backup pfSense system. Then press the “Save” button and save the changes.
Firewall Failover with CARP, Step Three: Adding Virtual IPs
Finally, we must configure a virtual IP address for the WAN and LAN interfaces on the primary pfSense machine. Navigate to Firewall -> Virtual IPs and click on the “Virtual IPs” tab. Click the “plus” button to add a new virtual IP. At “Type“, choose the CARP radio button. At “Interface”, set the interface to LAN. At “IP Address“, set the address as the single WAN address that will be used for all clients regardless of whether the primary or backup firewall is active. At “Virtual IP Password“, set a password. You can leave “VHID Group” set to 1 and “Advertising Frequency” set to 0. At “Description“, add an appropriate description. Press the “Save” button to save the changes and press the “Apply changes” button on the next page to apply the changes if necessary.
In order to create the virtual IP address for the LAN interface, we can repeat the above steps, with the following modifications:
- At “Interface“, set the interface to LAN
- At “IP Address“, set the address to the single LAN address that will be used as the default gateway for all clients regardless of whether the primary or backup firewall is active
- The default “VHID Group” setting will be 2; leave this unchanged
Now that we have added the virtual IP addresses, configuration is done. The two firewalls will constantly sync their rules, NAT, and virtual IP settings so that if the primary dies, the backup will immediately take its place.