Configurate HA pfsense cluster

Page content

In this post I will configure 2 pfsense server to a HA cluster.

The Architecture

 ------ WAN ------
 |               |
PF1 -- sync -- PF2
 |               |
 ----- LAN -------  

WAN: 192.168.0.0/24 (Bridgelt)
LAN: 10.0.1.0/24
SYNC: 10.0.2.0/24
pf1:
WAN 192.168.0.21
LAN: 10.0.1.21
SYNC:10.0.2.21

pf2:
WAN 192.168.0.22
LAN: 10.0.1.22
SYNC:10.0.2.22

Example image

Example image

Example image

Firewall rules For sync

On both firewalls add two rules to allow traffic on the SYNC interface:
go to Firewall > Rules > Sync and click Add.

Rule 1: Example image

Rule 2: Example image

Rule 3: Example image

Synchronization Settings

Go to System > High Availability Sync and configure the sections like on the pictures.

Master: Example image

Slave: Example image

Test the synchronisation. Go to System > User management and createa new user on the master node.
Then check on the slave node.

If it doesn’t work, check:

  • Are the firewall web interfaces running on the same protocols and ports?
  • Is the admin password set correctly? (User Manager > Users > admin.)
  • Are the firewall rules to allow synch set to use the correct interface (SYNC)?
  • If you’re using VMs, are the firewalls on the same internal network?

create virtual IPs

On the master node go to Firewall > Virtual IPs and click Add. Create a new VIP adres for LAN and WAN interfaces.

WAN VIP on master: Example image

WAN VIP on salave: Example image

LAN VIP on master: Example image

LAN VIP on slave: Example image

Change outbound NAT

Change the configuration of the outbound NAT to use the shared public IP (the WAN VIP)
Go to Firewall > NAT > Outbound and set the mode to Hybrid Outbound NAT rule generation.

Example image

Example image

Find your LAN IP ranges (there should be two) and click the edit icon and change the Translation Address to the WAN VIP address.

Example image

Do the same for the other LAN network mapping. It should end up looking like this:

Example image

If you’ll be using your pfSense firewall as a DNS resolver you must change the settings of the DNS service (Services > DNS Resolver > General Settings) to lissen on the LAN VIP address. Then chnage the address of the DNS server in the DHCP configuration to us the LAN VIP adress.

comments powered by Disqus