Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to understand the hardware redundancy of pfSense and CARP. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Overview of pfSense High Availability Settin

Each CARP cluster node needs a real IP address. To have 2 cluster nodes, the actual interface requires 2 IP addresses, and then add an additional IP for each virtual IP address of type CARP. As shown in the following figure, the IP address of the primary CARP cluster node WAN is 127.29.29.1 and the IP address of the secondary node WAN is 127.29.29.2. The IP address of the primary cluster node LAN is 192.168.1.2 and the IP address of the secondary node LAN is 192.168.1.3.

Add CARP shared virtual IP address

On the main cluster node, in Firewall > Virtual IPs. Add a virtual IP address of type CARP in the. The virtual IP address must be on the same subnet as the IP address defined on the actual interface (WAN,LAN,OPT1, etc.). You must use a unique VHID for each shared virtual IP address on a given interface. The lowest deviation indicates that the node should be the CARP master of the VIP. When you synchronize VIP to the secondary node, the XMLRPC process automatically adds + 100 for each offset. We recommend that you set the offset to 0 or 1 on the primary node CARP virtual IP.

Set up dedicated synchronization interface

It is strongly recommended that you use a dedicated synchronization interface, especially state synchronization handled by pfsync. This is not only for security purposes, but also for the use of resources. State synchronization consumes a lot of traffic in a busy network environment. Set up each cluster synchronization interface, using the same subnet IP address. For example, enter 192.168.4.1 on the primary cluster node and enter the IP address 192.168.4.2 on the secondary cluster node. Use the / 24 subnet (255.255.255.0).

Add firewall synchronization rules

Before configuring synchronization, add firewall rules to the synchronization interface that passes traffic between nodes.

Navigate to Firewall > Rules on the synchronization interface tab.

Add rules that allow traffic to be passed from the synchronous network to any destination.

Enable status synchronization (pfsync)

Enable state synchronization on all cluster nodes.

In System > High Avail. Sync enables Synchronize States.

Select the correct Synchronize Interface for status synchronization.

If you are using two cluster nodes, enter the synchronization interface IP address in pfsync Synchronize Peer IP.

In the example diagram, the primary cluster node is set to 192.168.4.2. The secondary node is set to 192.168.4.1.

Click Save.

Enable configuration synchronization (XMLRPC synchronization)

Before continuing, set the same administrator user password and webConfigurator protocol (for example, HTTPS) on each cluster node.

Configuration synchronization settings can only be enabled on the primary cluster node.

Enter System > High Avail. Sync .

Enter the IP address of the secondary node in "Synchronize Config to IP" (the above example is 192.168.4.2).

Enter the administrator user name in "Remote System Username" (other usernames will not work).

Enter the remote system password in "Remote System Password" (the password should be the same on all nodes).

Select the items that need to be synchronized.

When you click Save, the selected project is synchronized with the secondary node.

Set manual outbound NAT

Select Manual outbound NAT on the Firewall > NAT > Outbound tab and click Save.

Edit automatically added rules on LAN

Select a shared CARP virtual IP address on WAN as the forwarding address.

Click Save.

Click apply changes.

Note: do not add outbound NAT rules that may match the WAN / public network IP address of the cluster. This includes rules that explicitly list public network IP addresses and any rules that are set as the source. These NAT rules will cause other problems and will break the outbound connection from the secondary node when it is in a backup state.

Set the DHCP server to use a CARP LAN IP address

Click the LAN tab on the primary node Services > DHCP Server.

Set the default gateway to CARP VIP on LAN, for example, 192.168.1.3.

Set the DNS server to CARP VIP on LAN, for example, 192.168.1.3.

Enter the IP address of the secondary node in the failover peer IP. This will automatically adjust during synchronization.

Click Save.

Verify XMLRPC synchronization

Access the secondary cluster node and verify that the NAT, virtual IP address and rules are synchronized correctly.

Verify CARP statu

On both nodes, check Status > CARP (failover). If either system displays a button for Enable CARP, click it.

On this page, verify that VIP displays the correct status. On the primary node, each VIP should display MASTER. On the secondary node, each VIP should display BACKUP.

Note:

The following items must be checked to ensure that the XMLRPC configuration between the two nodes is synchronized correctly:

1. The user name on all nodes must be admin.

two。 The passwords on all nodes must match.

3. The WebConfigurator protocol must be the same on each cluster node (HTTP and HTTPS).

4. The WebConfigurator port must be the same on each cluster node (for example, 443).

5. The synchronization interface on the secondary node must be enabled.

6. Interfaces on all nodes must be assigned in the same order.

The 7.Synchronize Config to IP option must point to the synchronous interface IP address of the secondary interface.

8. Traffic must be allowed to synchronize the webConfigurator port on the interface of the secondary node.

9. Verify that only the primary node is available only if various XMLRPC configuration synchronization options have been selected.

On how to understand the hardware redundancy of pfSense and CARP is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.