Configure high availability (HA) on pfSense 2.6

  • Firewall
  • pfSense
  • 4/5

8. Change DHCP server configuration (to synchronize DHCP leases)

So that the DHCP server of your 2 pfSense machines knows your current machines and does not distribute the same IP address to 2 machines on the LAN network, it is necessary to slightly modify the configuration of the DHCP server on the 1st pfSense machine (master).
To do this, go to: Services -> DHCP Server.

Go to the "LAN" tab of the DHCP server.

In the "Servers" section, specify the CARP virtual IP (VIP) address for the LAN as the preferred DNS server.
Thus, the machines on the LAN network will always communicate with the pfSense machine acting as master for the moment.

In the "Other Options" section:

  • Gateway: specify the CARP virtual IP (VIP) address again as the default gateway for machines on the LAN.
    So, if one of the pfSense machines fails at any point, your LAN machines will continue to access the Internet and the network without any problem in a transparent manner.
  • Failover peer IP: indicate the IP address defined on the 2nd pfSense machine for the LAN interface.

Important : when pfSense syncs the DHCP server settings from your 1st pfSense machine to your 2nd pfSense machine, the "Failover peer IP" field will be updated correctly to point to the 1st pfSense machine.

At the bottom of the page, click Save.

The configuration of your DHCP server has been modified.

For information, if you look at the DHCP configuration of your 2nd pfSense machine, you will see that the modified fields have also been modified on this one.
In addition, you will notice that the "Failover peer IP" field of this 2nd pfSense machine points in this case to the 1st pfSense machine.

Tutorial based on the official Netgate example : High Availability Configuration Example | pfSense Documentation.

9. Verify and test the failover on pfSense

Now that your 2 pfSense machines are correctly configured to ensure high availability of its services, here is what you can check on pfSense.

9.1. Check CARP status

To get started, check the CARP status by going to: Status -> CARP (failover).

On your 1st pfSense machine, you will see that this pfSense machine acts as a "MASTER" for your 2 CARP virtual IP (VIP) addresses.

  • CARP Interface: [name of the pfSense interface concerned]@[group identifier (VHID) of the virtual IP].
    In our case: WAN@10 and LAN@1.
  • Virtual IP: the virtual IPv4 address previously defined for each interface (WAN / LAN).
  • Status: the status of this pfSense machine for this CARP virtual IP (VIP) address.
    The 1st pfSense machine acts as MASTER for these CARP virtual IP (VIP) addresses.

Notes :

  • if the status "DISABLED" appears, click on the "Enable CARP" button, then refresh the page.
  • if the status "INIT" appears, then there is a network connection problem between the interfaces concerned.
    For example, an unplugged network cable.

On your 2nd pfSense machine you will see the same information.
But, this pfSense machine acts as a slave for these CARP virtual IP (VIP) addresses.

9.2. Check status synchronization

To check the state sync status, go to: Status -> CARP again.

In the "pfSync Nodes" section of this page, you will see a list of identifiers appear.
If the synchronization is good, the values will be the same (or almost) on the 2 pfSense machines.

To see also

Comments

No comment

Share your opinion

Pinned content

Contact

® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.

Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.