Shulou(Shulou.com)06/02 Report--

Online pfsense dual hot standby, the introduction is not too detailed, some versions are too old, and the current software settings are not the same. In this tutorial, I will do an example tutorial on the dual-computer hot backup settings of pfsense. As long as you follow the steps, I believe you will soon learn to set up. Before reading this tutorial, it is recommended to take a look at this article to figure out the basic principles of dual-computer setup: PfSense and CARP hardware redundancy.

Software version: pfsense 2.3.4_p1 Chinese version.

Configuration of one or two hosts

Master pfsense

IP LAN:192.168.1.1 / 24

IP WAN:192.168.133.122 / 24

IP Sync HA:192.168.200.1 / 24

Deputy pfsense

IP LAN:192.168.1.2 / 24

IP WAN:192.168.133.99/ 24

IP Sync HA:192.168.200.2 / 24

CARP shared virtual IP address

LAN:192.168.1.200 / 24

WAN:192.168.133.200 / 24

The HA interfaces of the two hosts must remain connected.

The configured interfaces are as follows:

Master pfsense:

Deputy pfsense:

II. Firewall rule settings

The firewall rules of the synchronization interface HA for communication between the two hosts are as follows:

III. HA host configuration

Secondary pfsense host configuration

Enter the WEB interface of the deputy pfsense host

Navigate to the system-dual backup, set up and save as shown below. The synchronization items here do not need to be selected.

Primary pfsense host configuration

Enter the WEB interface of the main pfsense host

Navigate to the system-dual backup, set up and save as shown below.

Items that are synchronized to the deputy pfsense are selected as needed.

IV. CARP settings

(1) Master pfsense setting

LAN interface virtual IP

Navigate to Firewall-Virtual Interface-Virtual IP, click add, press the figure below to set up and save.

Virtual IP passwords are set to be unified and easy to manage.

WAN interface virtual IP

Navigate to Firewall-Virtual Interface-Virtual IP, click add, press the figure below to set up and save.

After configuration, see the following figure

CARP statu

Navigate to system state-CARP

(2) Deputy pfsense settings

LAN interface virtual IP

Navigate to Firewall-Virtual Interface-Virtual IP, click add, press the figure below to set up and save.

Note here that the setting of the deviation value is different from that of the main pfsense. WAN interface virtual IP

Navigate to Firewall-Virtual Interface-Virtual IP, click add, press the figure below to set up and save.

Note here that the setting of the deviation value is different from that of the main pfsense. After configuration, see the following figure

The status of CARP is shown in the following figure

After the above settings, the dual-computer hot backup has been completed.

If the two hosts cannot be configured synchronously, set the manual outbound NAT.

Navigate to Firewall-address Translation-outbound and select manual outbound NAT rule generation.

Edit the automatically added rule on LAN and select a shared CARP virtual IP address on WAN as the forwarding address.

Click Save.

Click apply changes.

Next, let's test it.

On the primary pfsense, add a port forwarding entry to see if it can be synchronized to the secondary pfsense host (note: only the settings of the host pfsense can be synchronized).

Check on the secondary pfsense host, have synchronized, and test the OK.

V. Internet access settings of the client

In order to ensure that the primary pfsense can use the secondary pfsense host to surf the Internet after being dropped or crashed, the gateway of the client computer must be set to CARP VIP on the LAN, as shown below (static address):

When the main pfsense is turned off, the system will automatically switch to the secondary pfsense to surf the Internet.

If DHCP with the LAN interface enabled automatically assigns IP addresses, the following settings must be made:

On the primary pfsense, navigate to the system service-DHCP service, and click the LAN tab.

Set the default gateway to CARP VIP on LAN, which in this case is 192.168.1.200.

Set the DNS server to CARP VIP on LAN, for example, 192.168.1.200.

Enter the IP address of the secondary pfsense in the failover peer IP, and here enter 192.168.200.2, which will automatically adjust during synchronization.

Click Save, as shown in the following figure.

I watch video tutorials.

2017-8-2

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.