Purpose
With any firewall and gateway, the issue of a single point of failure is always present. In order to mitigate this Common Address Redundancy Protocol was invented for the BSD world. For those of you coming from a Cisco or other network gear manufacturer, this functions at a high level the same as VRRP or HSRP. The main difference seen with pfSense is the ability to sync configurations using pfsync. This tutorial should provide an overview of configuring this setup within pfSense and showing effects of downtime on the system.
First of all we have the general layout of this sample setup.
Please note that in a real world scenario or anyplace where stability matters, you should have a dedicated link between the two pfSense boxes for the CARP process. This will lower outside traffic interference and prevent congestion from compromising the sync process going on between the two gateway systems.
This also assumes you have provisioned the two boxes and have general setup and IP assignments, I won’t walk through this. After all this is done, pull up the web interface on the master CARP box. In this situation I have made that the 192.168.75.101 firewall. The first step is to add a virtual IP for the CARP interface as shown below.
After this head on over to the CARP Settings tab and use the information as shown. I don’t have a screenshot for this since the list is rather long and I cant fit it all on one screen.
Synchronize Enabled : CHECK
Synchronize Interface : LAN
pfSync Peer IP:
Synchronize Rules : CHECK
Synchronize Firewall Schedules : CHECK
Synchronize Aliases : CHECK
Synchronize NAT : CHECK
Synchronize IPsec : CHECK
Synchronize Wake On Lan: CHECK
Synchronize Static Routes: CHECK
Synchronize Load Balancer : CHECK
Synchronize Virtual IPs : CHECK
Synchronize Traffic Shaper: CHECK
Synchronize DNS Forwarder: CHECK
Synchronize To IP: 192.168.75.102
Remote System Password: [WEB GUI Password for remote system]
You may adjust these settings as you see fit, but synchronizing everything makes things simple, no sense having duplicate and out of date configuration.
Next bring up the web interface for the backup CARP pfSense box. In this example it is the one with the LAN IP 192.168.75.102. Go to the Virtual IP tab and configure the following settings.
The main difference here is the advertising frequency, which is set to anything higher than O, making it the backup. Then go to the CARP settings page, and you will need to mostly mimic the settings we had for the master CARP member.
Synchronize Enabled : CHECK
Synchronize Interface : LAN
pfSync Peer IP:
Synchronize Rules : CHECK
Synchronize Firewall Schedules : CHECK
Synchronize Aliases : CHECK
Synchronize NAT : CHECK
Synchronize IPsec : CHECK
Synchronize Wake On Lan: CHECK
Synchronize Static Routes: CHECK
Synchronize Load Balancer : CHECK
Synchronize Virtual IPs : CHECK
Synchronize Traffic Shaper: CHECK
Synchronize DNS Forwarder: CHECK
Synchronize To IP: 192.168.75.101
Remote System Password: [WEB GUI Password for remote system]
After this is saved, we can enable CARP on both of these systems. To do this, go to Status -> CARP (Failover) and press the Enable CARP button on both systems web interfaces. After this you should see the screens below on each firewall respectively.
That should be it! To test I started a constant ping to the virtual IP address and shut down the master box ungracefully. Note I only lose one packet during the process.
Post a Comment