Thanks, Tom! For the last 10 years, I’ve been using a pair of Cisco 2911 routers in our HQ, using HSRP on the WAN & multiple VLANs, and BOTH routers configured to serve DHCP, but from different ends of the IP range, with explicit exceptions in each, preventing the routers from serving the other’s scope. It works because we were careful not to “cross the streams”, and the ARP side of the DHCP protocol prevents duplicate leases, in the normal manner. Recently, I’ve upgraded these solid, but clunky old elitist routers with a virtual pfSense, using a fantastically fast ESX server, with 10Gb NICs. I am enjoying the refreshing GUI and the fact that my colleagues are less likely to have a panic attack if I ask them to administer it!
i know Im asking the wrong place but does any of you know a trick to get back into an Instagram account? I was stupid lost my login password. I love any assistance you can offer me
@Bradley Heath i really appreciate your reply. I found the site thru google and I'm waiting for the hacking stuff now. Looks like it's gonna take a while so I will get back to you later when my account password hopefully is recovered.
Great description, helped a lot getting things going. One error (or mabye no longer a requirment) is the /29 on the wan side (or any interface with a CARP). I in many of my builds use /31 or /30 on wan side with HA. The ip address of the Wan Interfaces do not need to be in the same network as your real internet IP, or publicly visable, just in the same subnet as each other. I tend to use a private IP on each interface (allows carp multicast to do its stuff) and then a CARP with the public ip on this interface pair. Takes a bit of getting your head around when degugging... but works fine.
can you explain more? So can you add RFC1819 address in the same subnet for pfsense WAN and just use public ones as CARP VIPs? I have /29 subnet but I want to use these addresses for different purposes and I cannot see any reason to keep them held unused by pfsense.
Had a problem with DNS following this guide. Connectivity stayed up while the primary gateway (virtualized) was rebooting along with the hypervisor that hosted it. Pings would work, but DNS still pointed to the primary gateway directly. Solution was to specify CARP IP within DHCP settings, you are doing similar config with gateway along the 19 minute mark. Alternative is to specify public DNS, but I have domain redirect to provide LAN computers direct access to the server having forwarded ports.
Another great video. Now I have two PF Sense Firewalls running on 2 separate instances of XCP-NG thanks to you. I still can't believe that this technology is so good AND it's open source. In practical terms, I'm just happy that I can now turn on an old computer. Wait for the firewall to sync up and freely take my primary server down with only a half a second outage. WOW!!!! Thank you for putting out this great and easy to follow content.
awesome video, I have been using pfSense for almost years, it is a powerfull and easy tool to manage network, however I am trying to use 2 pfsense in my lan to serve DHCP and DNS acorss my net and subnets, but I am having problem with DHCP and DNS integration with 2 pfsense, my DHCP on slave is the master and i cant resolve DHCP machines with pfsense DNS
Where can I find instructions about solving the WAN/ISP CARP issues (ISP handling IP coming from two devices)? I have everything configured, HA status is good, by my gateway shows dropping traffic and I think it might be due to the CARP/ISP issue. Great instructions by the way!
Hi Thanks for all your videos. I want to ha on two virtual pfsense with active and passive. Is it possible the two devices are same ip address for exp 10.x.x.1?
So real simple. Comcast has been unreliable so I signed up for AT&T. If Comcast goes out then I simply unplug that cat 5 cable and plug in the AT&T and I'm up. Right? I know this is manual but sooo much easier. Am I missing anything?
Pls don’t confuse newbies with wrong terms: “If the backup firewall does not have the states from the main firewall , then the ROUTES need to be rebuilt”. No, big difference between states and routes. The ROUTES are already there, it is the STATES that would need rebuilt if there is no state synchronization! When you virtualize *anything* that uses multicast, like CARP (or HRSP/VRRP In Cisco or other routers), you HAVE to allow Promiscuous mode in the interface(s) that do the sync/heartbeat! Multicast is confusing to most non networking people so it is usually where computer people fail when virtualizing.
Excuse me, I do something with your tutorial is working but my CARP IP can not ping and can not arp to the MAC address from the External and internal networks. Could you help us explain this issue to me thank you in advance
Hello, I am testing pfsense HA on XCP-NG, but cannot ping the Virtual IP on the XCP-NG private network, I know is the virtual network card promiscuous mode problem, becuase I was enabled it on Virtualbox can ping the VIP. I tried enable VIF on private network, but no luck, can you help? thanks
@LAWRENCESYSTEMS Hello, thank you so much for the great tutorials, i'm in a bit of trouble, and i really wish you could help me, i'm basically trying to setup a multiwan ha cluster with 2 pfsense, but i can't gind any detailed guide on how to do it, would it be much more difficult and different to this?
@@LAWRENCESYSTEMS thank you for taking your time answering my question, i have i doubt should i just follow the multiwan guide and add the steps for HA-carp, in order to obtain dual firewall dual wan setup? or do you have any best practice advice to make it better and simpler?
Very good video thank you ! But I couldn't stop to think, how do you make the Slave become Master if for example your master dies and you have to do some modifications before the Master goes up again ? I have tried by putting XMLRPC on Salve but when I boot master again the sync override... Any ideas ? Thanks !
I got one PPPoE static ip, is it possible to use HA pfsense with this? Theres alot of conflicting information on this on the internet and i can’t find a concrete answer
Weird question. I am looking to create a HA sync with a single WAN connection that I can manually toggle between firewalls. Is this possible or will the ISP still mess things up?
Hi there, our ISP provide us an PPPoE connection with 8 static IPs, so once the connection is established, I can manage all 8 IPs as virtual IPs. So far so good, I am doing this now for years, but at your manual you explained I need total of 3 WAN IPs. Would it be possible to use one of the 8 IPs I have to use for the backup machine and if so, how can I? If the master would go offline, the WAN IP of the backup would be offline, too?!
You can with some scripting. I’m doing this with Comcast residential. Main issue is the WAN address on the backup firewall. Put a local IP Address on backup WAN and then use the rc.carpmaster and rc.carpbackup PHP scripts to trigger/run the shell scripts.
Great Video. The PFsense failover works well, I get a 4-6 packet loss on device shutdown or failure. I did have to turn off some features to get this effect as the bootup was slow (no dns resolver, ipv6 dhcp). However, when failing back to the master it drops all states and loses all connections. I have to restart all network traffic. Is there a way around this? Note, I am running failover with an IPsec running, using CARP vip's for the WAN/LAN interfaces.
I followed step by step. Everything works fine, when pfsense1 goes down pfsense2 becomes master. However DNS Resolution seems to not be working for some reason. I have a vlan forwarding DNS to my Windows DNS server. And another VLAN using unbound within pfsense. The issue is in both VLANs. I'm not sure what the issue is. Any idea what could be wrong?
@@LAWRENCESYSTEMS you set the gateway ip which is right but you forgot to set the DNS Servers to the carp IP otherwise it returns the IP (master/backup) that's currently being requested by the client. You can verify this with "dhcpcd -o domain_name_servers -T"
Crazy how this is almost like a legacy way of doing things in terms of sharing WAN ip addresses. Palos or Junipers you can you a single /30. That’s it. But old PIX and ASAs you needed multiple IPs on every interface.
Is there a way to use wan address via using a old router, turn all firewall rules off, and then set the gateway on it to the 192.68.1.52 and feed pfsense1 and another router set to 53 to feed pfsense2? I am using comcast and i get several wan address's from them via dhcp when in bridge mode. If this works could you then use a third router and do the same thing to be used for the WAN VIP? Or do these all have to be static ip address from my ISP? I would think that my idea should work with the up front routers and will be used just to send the internal ip address then to each box exactly like you show even using internal address's like you show. That way you dont have to pay for staic ip address. I set mine all up about a week ago and everything worked except I didn't have a staic ip for my wan VIP and I lost the internet but internal lan worked. I am getting a couple of older linksys wrt54g router in this week and will try this unless you say it will not work. Otherwise GREAT WORK!!!
Wish this feature could work with PPPoE and DHCP based ISP wan links. I have used Watchguard proprietary firecluster to solve this need for now. Works great but it's one of those commercial products where you basically must keep the units on support plans to get any updates even for known security issues in the old versions you only get patches under active support.
Hi tom, thanks for the video but i have 1 problem in the sync configuration. A communications error occurred while attempting to call XMLRPC method host_firmware_version this error always pop up. Both server are in the same pfsense version.
Ok Tom... Let's do it. An HA Proxmox Cluster with dedicated Corosync network that virtualizes HA Pfsense with dual WAN ..... AND a nice fat baremetal TrueNAS machine for shared VM storage. I've been working out the details for a while and it could be a few weeks worth of content. This would be the perfect setup after installing highly available windows server instances. If proxmox migrates your Windows Server within the cluster, do you need a license for ALL the potential cores it might run on.... or just the number of simultaneously running?
I use XCP-NG for HA Hypervisor ua-cam.com/video/jvhUY81pBw0/v-deo.html and the per core license is for the cores assigned to the VM, not the hypervisor.
Question: You indicate that you need 3 WAN IPs for a failover/HA - 2 actual + 1 floating/shared IP. What if I were using, say, 2 static/public IPs for different services (Ex. VPN, streaming server) which get redirected inbound, and wanted to do a failover/HA configuration. Under this scheme, would I now need 2x public for each, plus one floating (total of 5 IPs) ; or 2 floating/shared, plus two each for the pfSense systems, or would it require a group of 3 IPs for each public/static IP I would otherwise be using? In other words, can you give an example of how to use multiple static IPs in use in such an HA scenario?
@@LAWRENCESYSTEMS So it is just 2 extra IPs required (for the 2 physical boxes) no matter how many statics are needed, and the additional are just added as virtual CARP VIPs. Nice. It is interesting I was thinking that the shared was the extra, when it is the physicals that are the extras needed. Easy to scale from there with that understanding.
Hi Tom! We just bought a set of XG-7100 HA and i'm wondering about the build quality. Can you confirm that some sharp edges of the case are usual or normal? I find this strange cause of the very high price point in my opinion... One of the firewalls has a slight bend in the front plate too, right on the 8 ethernet ports the black plate is bend to the outside a little bit.
I don't recall the edge is being that sharp and vent does sound like a shipping issue. Give their sales team a call we've never had a problem with them.
@@LAWRENCESYSTEMS thanks for the insane quick reply! i will do that after my vacation, just to be sure about the front plate. well the edges had some metal abrasion probably from filing it or something, that shouldn't be normal. it just feels like i should be careful to not cut myself. front plate/vent is ok, but there are too some semi sharp spots. anyways, still a better choice than our earlier approach, the sophos solution for almost the same money including licenses (+ 3k € every 3 years for the main network+web licenses) by the way, great video, i can't wait to get my hands into that. keep up the good work!
Hi! can you please do a video on VPN pass through on PFsense router for Amazon Prime. I cant find a comprehensive guide for this. I have clients that pass through the vpn(PIA) to the WAN port, however I have a device I wish to have on the VPN and also use Prime. I've looked all over and the Netgate forums aren't very helpful when it comes to this.
I do this on my firewall, my tv has amazon prime running on it and if amazon detects a vpn it blocks it, this is done on the lan, single out the IP address of the client and NAT to the WAN IP rather than the VPN/PIA IP.
@@edwardnizza9620 who's IP? This is very straightforward. Your clients that want to run amazon prime video are within your lan. Set them up with static ip addresses, go to your nat rules, outbound NAT and create additional entries, one per client ip that says from source "specific client ip" to destination all, nat to interface PPPoe/WAN or whatever you call the actual interface, it is different to the PIA/OVPN interface. That's it.
@@m3l3t15 i misunderstood you before. Apologies. I meant a way to find Amazon's ip. I can find my clients ip by looking at the dhcp leases. But I'm looking into another idea. If I bought an access point , and had 2 separate ssids with 2 different subnets using vlans, is it possible to route one subnet through the Wan and the other though the vpn? This way i could just chang networks through my device .
Hi! Thx for the great Video. Iam using pfSense for a long time (before i use m0n0wall ;) ). After watching your Video i plan to make also a HA Setup for my pfSense. I just want to ask what do you think about to use two used HPE (HP ProLiant SE316M1 Server 2x Xeon X5650 Six Core 2.66 GHz, 16 GB DDR3 RAM, 2x 300 GB SAS 10K) + HP 2x10G SFP+. They are really cheap here in Europe (iam from Austria). Only about 250€ per server.
I don't know how much control you have over it, but suddenly UA-cam's adds are a serious flow disruption while watching your videos. Keeping track of 6 ips on two firewalls isn't too bad until that second commercial for mattresses comes on. Any plans to start broadcasting on Rumble anytime soon? EDIT: Oh, and awesome videos - please do keep them coming! (I should have started with that).
I buy UA-cam Premium to avoid the ads, UA-cam controls the ad platform, and I don't have any plans at this time to move to any other platforms. Some further thoughts I have on the topic can be found here forums.lawrencesystems.com/t/will-you-join-odysee-com/9270
@@LAWRENCESYSTEMS Thanks. I had a read through the thread. I'm just seeing UA-cam turn some dark corners lately and wondering why we keep giving them money to abuse us. They're kind of the Microsoft of the video world. But yeah, we're all still here, aren't we? Me, I try Rumble first, then I come to UA-cam. You COULD be the biggest tech channel on Rumble.... ;-)
They all start out riding on some VC money then once they get big (of if they ever make it that far) they fill the platform with the same amount of ads to keep the platform going bringing us back to the same spot.
@@LAWRENCESYSTEMS Yeah, that's my fear for sure. When I saw that they went public, my first thought was "oh well, this won't last long". The world truly needs an "open source" (free speech and beer) concept to replace these big boys, but all of that bandwidth and storage isn't free. Tough challenge. For me, for now, the rule is to go with the least politically motivated company. Alphabet, like Microsoft, has become a global political actor with an agenda that doesn't sit well with me.
Thanks, Tom! For the last 10 years, I’ve been using a pair of Cisco 2911 routers in our HQ, using HSRP on the WAN & multiple VLANs, and BOTH routers configured to serve DHCP, but from different ends of the IP range, with explicit exceptions in each, preventing the routers from serving the other’s scope. It works because we were careful not to “cross the streams”, and the ARP side of the DHCP protocol prevents duplicate leases, in the normal manner. Recently, I’ve upgraded these solid, but clunky old elitist routers with a virtual pfSense, using a fantastically fast ESX server, with 10Gb NICs. I am enjoying the refreshing GUI and the fact that my colleagues are less likely to have a panic attack if I ask them to administer it!
i know Im asking the wrong place but does any of you know a trick to get back into an Instagram account?
I was stupid lost my login password. I love any assistance you can offer me
@Tristian Zane Instablaster =)
@Bradley Heath i really appreciate your reply. I found the site thru google and I'm waiting for the hacking stuff now.
Looks like it's gonna take a while so I will get back to you later when my account password hopefully is recovered.
@Bradley Heath it did the trick and I now got access to my account again. I'm so happy!
Thank you so much you saved my account!
@Tristian Zane happy to help :)
Dood you are like the #1 Channel for everything I need or search for my PFSense
Great description, helped a lot getting things going. One error (or mabye no longer a requirment) is the /29 on the wan side (or any interface with a CARP). I in many of my builds use /31 or /30 on wan side with HA. The ip address of the Wan Interfaces do not need to be in the same network as your real internet IP, or publicly visable, just in the same subnet as each other. I tend to use a private IP on each interface (allows carp multicast to do its stuff) and then a CARP with the public ip on this interface pair. Takes a bit of getting your head around when degugging... but works fine.
can you explain more? So can you add RFC1819 address in the same subnet for pfsense WAN and just use public ones as CARP VIPs? I have /29 subnet but I want to use these addresses for different purposes and I cannot see any reason to keep them held unused by pfsense.
Had a problem with DNS following this guide. Connectivity stayed up while the primary gateway (virtualized) was rebooting along with the hypervisor that hosted it. Pings would work, but DNS still pointed to the primary gateway directly. Solution was to specify CARP IP within DHCP settings, you are doing similar config with gateway along the 19 minute mark. Alternative is to specify public DNS, but I have domain redirect to provide LAN computers direct access to the server having forwarded ports.
Another great video. Now I have two PF Sense Firewalls running on 2 separate instances of XCP-NG thanks to you. I still can't believe that this technology is so good AND it's open source. In practical terms, I'm just happy that I can now turn on an old computer. Wait for the firewall to sync up and freely take my primary server down with only a half a second outage. WOW!!!! Thank you for putting out this great and easy to follow content.
The magic of 20’year old tech right?
Exactly what i want, I will have 2 xcpng servers as well
Great video Tom. Suggestion for part 2+: Eliminating more points of failure -- How to configure HA plus multi-WAN plus layer 2 redundancy.
...its totally possible, check it out here...
ua-cam.com/video/sLfQRa4_rQA/v-deo.html
What would happen if the wan connection failed on the master? Would PFSense failover to backup?
Thanks for your time and effort.
Kea DHCP does not have the failover option , what is the new way of doing that ?
Awesome video Tom, I’m about to create my first High Avail. pfSense system.
awesome video, I have been using pfSense for almost years, it is a powerfull and easy tool to manage network, however I am trying to use 2 pfsense in my lan to serve DHCP and DNS acorss my net and subnets, but I am having problem with DHCP and DNS integration with 2 pfsense, my DHCP on slave is the master and i cant resolve DHCP machines with pfsense DNS
Dose it support connection mirroring for HA failover?
Hi Tom Great video.
I started using Pfsense after I saw a video of you talking about PFsense made some 4 years ago.
Thanks for sharing
Hi Tom, can you explain how you would set this up with two different ISP's? Would you need 3 IP's from each of them?
Yes
Where can I find instructions about solving the WAN/ISP CARP issues (ISP handling IP coming from two devices)? I have everything configured, HA status is good, by my gateway shows dropping traffic and I think it might be due to the CARP/ISP issue. Great instructions by the way!
Hi Thanks for all your videos. I want to ha on two virtual pfsense with active and passive. Is it possible the two devices are same ip address for exp 10.x.x.1?
And on the second pfsense, we must not turn it on pfsync or it will be automatically configured
Hello, Congratulations on your fantastic tutorial... you've tried riding it with VLan as well
So real simple. Comcast has been unreliable so I signed up for AT&T. If Comcast goes out then I simply unplug that cat 5 cable and plug in the AT&T and I'm up. Right? I know this is manual but sooo much easier. Am I missing anything?
Pls don’t confuse newbies with wrong terms:
“If the backup firewall does not have the states from the main firewall , then the ROUTES need to be rebuilt”.
No, big difference between states and routes.
The ROUTES are already there, it is the STATES that would need rebuilt if there is no state synchronization!
When you virtualize *anything* that uses multicast, like CARP (or HRSP/VRRP In Cisco or other routers), you HAVE to allow Promiscuous mode in the interface(s) that do the sync/heartbeat!
Multicast is confusing to most non networking people so it is usually where computer people fail when virtualizing.
Excuse me, I do something with your tutorial is working but my CARP IP can not ping and can not arp to the MAC address from the External and internal networks. Could you help us explain this issue to me thank you in advance
So youd need to create a virtual IP for each network you have?
Yes
Hello, I am testing pfsense HA on XCP-NG, but cannot ping the Virtual IP on the XCP-NG private network, I know is the virtual network card promiscuous mode problem, becuase I was enabled it on Virtualbox can ping the VIP. I tried enable VIF on private network, but no luck, can you help? thanks
Thanks for all your great pfSense tutorials. They really helped me for university. Keep doing what you are doing 👍
@LAWRENCESYSTEMS Hello, thank you so much for the great tutorials, i'm in a bit of trouble, and i really wish you could help me, i'm basically trying to setup a multiwan ha cluster with 2 pfsense, but i can't gind any detailed guide on how to do it, would it be much more difficult and different to this?
This is my multiwan guide ua-cam.com/video/acDvlzmsnaE/v-deo.htmlsi=OuPNyiYuvjAw3ozN
@@LAWRENCESYSTEMS thank you for taking your time answering my question, i have i doubt should i just follow the multiwan guide and add the steps for HA-carp, in order to obtain dual firewall dual wan setup? or do you have any best practice advice to make it better and simpler?
@@Sc0l4p4st4 Yes and there is not a simpler method.
Very good video thank you !
But I couldn't stop to think, how do you make the Slave become Master if for example your master dies and you have to do some modifications before the Master goes up again ? I have tried by putting XMLRPC on Salve but when I boot master again the sync override... Any ideas ?
Thanks !
You rebuild the master before you make change or take the system out of HA mode.
I got one PPPoE static ip, is it possible to use HA pfsense with this? Theres alot of conflicting information on this on the internet and i can’t find a concrete answer
Hello Great video too, Do you have idea how to fix state table size? pfsense has encountering almost 90% percent on my state. thank you
Great pfsense tutorial, It is helps for subject at university
Weird question. I am looking to create a HA sync with a single WAN connection that I can manually toggle between firewalls. Is this possible or will the ISP still mess things up?
As long as you have at least three public ip addresses
Awesome video Thank You. Is there a way to accomplish this using only 1 public IP? If so, do you have a step-by-step guide or video?
how to configure fail over on LAN interface?
Спасибо, очень полезное видео ! Thank you, a very useful video!
Hi there, our ISP provide us an PPPoE connection with 8 static IPs, so once the connection is established, I can manage all 8 IPs as virtual IPs. So far so good, I am doing this now for years, but at your manual you explained I need total of 3 WAN IPs. Would it be possible to use one of the 8 IPs I have to use for the backup machine and if so, how can I? If the master would go offline, the WAN IP of the backup would be offline, too?!
Thank you so much for this!!
I recently tried to set this up in my lab but because my ISP uses PPPoE I couldn't get it working. Is there any way around that limitation?
Not that I know of, I think CARP is incompatable with it when PPPoE authentication is done by pfSense
PPPoE is a point to point connection (tunnel) your ISP provides a /32 ip address.. On the WAN this is not possible.
You can with some scripting.
I’m doing this with Comcast residential.
Main issue is the WAN address on the backup firewall. Put a local IP Address on backup WAN and then use the rc.carpmaster and rc.carpbackup PHP scripts to trigger/run the shell scripts.
Great Video. The PFsense failover works well, I get a 4-6 packet loss on device shutdown or failure. I did have to turn off some features to get this effect as the bootup was slow (no dns resolver, ipv6 dhcp). However, when failing back to the master it drops all states and loses all connections. I have to restart all network traffic. Is there a way around this?
Note, I am running failover with an IPsec running, using CARP vip's for the WAN/LAN interfaces.
I followed step by step. Everything works fine, when pfsense1 goes down pfsense2 becomes master. However DNS Resolution seems to not be working for some reason.
I have a vlan forwarding DNS to my Windows DNS server. And another VLAN using unbound within pfsense. The issue is in both VLANs. I'm not sure what the issue is. Any idea what could be wrong?
Possibly you don't have DNS assigned to the CARP address.
@@LAWRENCESYSTEMS you set the gateway ip which is right but you forgot to set the DNS Servers to the carp IP otherwise it returns the IP (master/backup) that's currently being requested by the client. You can verify this with "dhcpcd -o domain_name_servers -T"
Great vid from a great channel. Thx for your vids man, very helpful!
Glad to help!
thanks Tom...HA working !
how to set up the sync interface?
That is covered in the video
both my boxes stay as master , what iam i missing ?
My guess is that the SYNC interfaces are not talking docs.netgate.com/pfsense/en/latest/recipes/high-availability.html
Crazy how this is almost like a legacy way of doing things in terms of sharing WAN ip addresses. Palos or Junipers you can you a single /30. That’s it. But old PIX and ASAs you needed multiple IPs on every interface.
Is there a way to use wan address via using a old router, turn all firewall rules off, and then set the gateway on it to the 192.68.1.52 and feed pfsense1 and another router set to 53 to feed pfsense2? I am using comcast and i get several wan address's from them via dhcp when in bridge mode. If this works could you then use a third router and do the same thing to be used for the WAN VIP? Or do these all have to be static ip address from my ISP? I would think that my idea should work with the up front routers and will be used just to send the internal ip address then to each box exactly like you show even using internal address's like you show. That way you dont have to pay for staic ip address. I set mine all up about a week ago and everything worked except I didn't have a staic ip for my wan VIP and I lost the internet but internal lan worked. I am getting a couple of older linksys wrt54g router in this week and will try this unless you say it will not work. Otherwise GREAT WORK!!!
Thanks tom for, once again, an amazing video!
Wish this feature could work with PPPoE and DHCP based ISP wan links. I have used Watchguard proprietary firecluster to solve this need for now. Works great but it's one of those commercial products where you basically must keep the units on support plans to get any updates even for known security issues in the old versions you only get patches under active support.
Hi Lawrence, i only have single public ip, is it possible to configure HA pfsense?
You would lose the seamless fail over with out the shared CARP IP for WAN.
Do you have any advise on how to achieve HA setup with single public IP?
Or any suggestion, because i only have 1 isp with single ip.
Hi tom, thanks for the video but i have 1 problem in the sync configuration. A communications error occurred while attempting to call XMLRPC method host_firmware_version this error always pop up. Both server are in the same pfsense version.
Not an error I have saw before.
WHAT IS JENN DOING WITH THE INTERNET!!?!?! another amazing video
Ok Tom... Let's do it. An HA Proxmox Cluster with dedicated Corosync network that virtualizes HA Pfsense with dual WAN ..... AND a nice fat baremetal TrueNAS machine for shared VM storage.
I've been working out the details for a while and it could be a few weeks worth of content. This would be the perfect setup after installing highly available windows server instances. If proxmox migrates your Windows Server within the cluster, do you need a license for ALL the potential cores it might run on.... or just the number of simultaneously running?
I use XCP-NG for HA Hypervisor ua-cam.com/video/jvhUY81pBw0/v-deo.html and the per core license is for the cores assigned to the VM, not the hypervisor.
Question:
You indicate that you need 3 WAN IPs for a failover/HA - 2 actual + 1 floating/shared IP.
What if I were using, say, 2 static/public IPs for different services (Ex. VPN, streaming server) which get redirected inbound, and wanted to do a failover/HA configuration.
Under this scheme, would I now need 2x public for each, plus one floating (total of 5 IPs) ; or 2 floating/shared, plus two each for the pfSense systems, or would it require a group of 3 IPs for each public/static IP I would otherwise be using?
In other words, can you give an example of how to use multiple static IPs in use in such an HA scenario?
You just add them as virtual CARP VIPs. You don't need three more
@@LAWRENCESYSTEMS So it is just 2 extra IPs required (for the 2 physical boxes) no matter how many statics are needed, and the additional are just added as virtual CARP VIPs. Nice.
It is interesting I was thinking that the shared was the extra, when it is the physicals that are the extras needed. Easy to scale from there with that understanding.
Is it possible to run HA between 3 PF nodes?
Never tried
What is your opinion on using root dns servers and resolving vs not.
I like when they resolve
thanks broski 💪
Hi Tom! We just bought a set of XG-7100 HA and i'm wondering about the build quality. Can you confirm that some sharp edges of the case are usual or normal? I find this strange cause of the very high price point in my opinion... One of the firewalls has a slight bend in the front plate too, right on the 8 ethernet ports the black plate is bend to the outside a little bit.
I don't recall the edge is being that sharp and vent does sound like a shipping issue. Give their sales team a call we've never had a problem with them.
@@LAWRENCESYSTEMS thanks for the insane quick reply! i will do that after my vacation, just to be sure about the front plate. well the edges had some metal abrasion probably from filing it or something, that shouldn't be normal. it just feels like i should be careful to not cut myself. front plate/vent is ok, but there are too some semi sharp spots.
anyways, still a better choice than our earlier approach, the sophos solution for almost the same money including licenses (+ 3k € every 3 years for the main network+web licenses)
by the way, great video, i can't wait to get my hands into that. keep up the good work!
Hi! can you please do a video on VPN pass through on PFsense router for Amazon Prime. I cant find a comprehensive guide for this. I have clients that pass through the vpn(PIA) to the WAN port, however I have a device I wish to have on the VPN and also use Prime.
I've looked all over and the Netgate forums aren't very helpful when it comes to this.
I do this on my firewall, my tv has amazon prime running on it and if amazon detects a vpn it blocks it, this is done on the lan, single out the IP address of the client and NAT to the WAN IP rather than the VPN/PIA IP.
@@m3l3t15 I need to figure out how to do that. I know how to bypass the client, but finding the ip is a little more challenging for me.
@@edwardnizza9620 who's IP? This is very straightforward. Your clients that want to run amazon prime video are within your lan. Set them up with static ip addresses, go to your nat rules, outbound NAT and create additional entries, one per client ip that says from source "specific client ip" to destination all, nat to interface PPPoe/WAN or whatever you call the actual interface, it is different to the PIA/OVPN interface.
That's it.
Your NAT outbound per host rule must be before your generic network rule.
@@m3l3t15 i misunderstood you before. Apologies. I meant a way to find Amazon's ip. I can find my clients ip by looking at the dhcp leases.
But I'm looking into another idea. If I bought an access point , and had 2 separate ssids with 2 different subnets using vlans, is it possible to route one subnet through the Wan and the other though the vpn? This way i could just chang networks through my device .
Hi! Thx for the great Video. Iam using pfSense for a long time (before i use m0n0wall ;) ). After watching your Video i plan to make also a HA Setup for my pfSense. I just want to ask what do you think about to use two used HPE (HP ProLiant SE316M1 Server 2x Xeon X5650 Six Core 2.66 GHz, 16 GB DDR3 RAM, 2x 300 GB SAS 10K) + HP 2x10G SFP+. They are really cheap here in Europe (iam from Austria). Only about 250€ per server.
I don't know how much control you have over it, but suddenly UA-cam's adds are a serious flow disruption while watching your videos. Keeping track of 6 ips on two firewalls isn't too bad until that second commercial for mattresses comes on. Any plans to start broadcasting on Rumble anytime soon?
EDIT: Oh, and awesome videos - please do keep them coming! (I should have started with that).
I buy UA-cam Premium to avoid the ads, UA-cam controls the ad platform, and I don't have any plans at this time to move to any other platforms. Some further thoughts I have on the topic can be found here forums.lawrencesystems.com/t/will-you-join-odysee-com/9270
@@LAWRENCESYSTEMS Thanks. I had a read through the thread. I'm just seeing UA-cam turn some dark corners lately and wondering why we keep giving them money to abuse us. They're kind of the Microsoft of the video world. But yeah, we're all still here, aren't we? Me, I try Rumble first, then I come to UA-cam. You COULD be the biggest tech channel on Rumble.... ;-)
They all start out riding on some VC money then once they get big (of if they ever make it that far) they fill the platform with the same amount of ads to keep the platform going bringing us back to the same spot.
@@LAWRENCESYSTEMS Yeah, that's my fear for sure. When I saw that they went public, my first thought was "oh well, this won't last long". The world truly needs an "open source" (free speech and beer) concept to replace these big boys, but all of that bandwidth and storage isn't free. Tough challenge.
For me, for now, the rule is to go with the least politically motivated company. Alphabet, like Microsoft, has become a global political actor with an agenda that doesn't sit well with me.
Excellent video as usual. I'm hoping you could do a tutorial on HAProxy
I would like a video about this too but I have been using the Nginx Letsencrypt docker image for my reverse proxy, I could never get HAProxy working
You might have lost packets because you forgot to setup pfsync on the secondary.
☀️☀️☀️ Li