Network Configuration:

PFSENSE1_PRIMARY PFSENSE2_BACKUP WAN IP: 192.168.168.110 WAN IP: 192.168.168.111 SYNC IP: 172.16.0.1 SYNC IP: 172.16.0.2 LAN IP: 10.1.0.1 LAN IP: 10.1.0.2

The 2 IP addresses below will be shared between the firewalls.

WAN Virtual IP: 192.168.168.254 LAN Virtual IP: 10.1.0.254

Building The Cluster

The first thing you have to configure is a firewall rule on the both boxes to allow the firewalls to communicate with each other on the SYNC cards.

To do that click on "Firewall | Rules", click on the "SYNC" interface, click on the "Plus" button to add a new firewall rule entry, set "Protocol" to "any", add a description so you can identify what the rule does, then click on "Save", and then click "Apply Changes" if necessary.

Remain on the backup firewall, here we have to configure CARP synchronization and configure it to be a backup only, click on "Firewall | Vitrual IPs", then click on "CARP Settings", tick the "Synchronize Enabled" checkbox, and select the "Synchronize Interface to SYNC", then save the changes.

We have now finished configuring the backup firewall; now we have to go and configure CARP sync on the primary firewall.

Log back into your primary firewall, click on "Firewall | Virtual IPs", click on the "CARP Settings" tab, tick the "Synchronize Enabled" box, select "SYNC" as your default synchronize interface, and place checks in the following boxes: "Synchronize Rules", "Synchronize NAT", "Synchronize Virtual IPs".

Then place the backup firewall's SYNC IP address in the "Synchronize to IP" box, and set the "Remote System Password" for the backup firewall as well.

Save changes, apply changes if necessary.

Now we need to configure the Virtual IP address that both firewalls will be using. To do this go to "Firewall | Virtual IPs" and click on the "Virtual IPs" tab.

We will set the WAN IP address first, press the "Plus" button to add a new Virtual IP, make sure the IP type is set to "CARP", set the interface to "WAN", set the IP Address, and remember this is the WAN address that will be used throughout your systems regardless of whether the primary or backup firewall is in use.

Next create a "Virtual IP Password", leave the "VHID Group" set to 1 and leave the "Advertising Frequency" at 0, add a description, then save and apply changes.

Now we have to configure a Virtual IP address for the LAN interface.

It is basically the same process as above, the only difference is you set the "Interface" to LAN, change the "VHID Group" to 3 and a different "Description". Save the changes and apply.

As you can see in the "Firewall | Virtual IPs" section you will have two virtual IPs listed as CARP types.

If you log onto the backup firewall's web interface and click on "Firewall | Virtual IPs" you should see the virtual IPs synchronized to the backup firewall.

Now here's how it works, the two pfSense firewalls will constantly sync their rules, NAT, virtual IPs and any other settings that you selected in the synchronize options, and for any reason that the primary firewall dies the backup will seamlessly take its place.

Please be aware when I was testing this there was a 10 second delay for the backup firewall to take over, because the freeBSD OS has to apply the virtual IP addresses to the interfaces once it has lost connection to the primary firewall.