SlideShare a Scribd company logo
High Availability
Using CARP, XMLRPC, and pfsync
On pfSense 2.3/2.4
March 2017 Hangout
Jim Pingle
Project News
● pfSense 2.3.3-p1 is out!
– A few beneficial improvements, security updates (OpenSSL, cURL)
– https://www.netgate.com/blog/pfsense-2-3-3-p1-release-now-available.html
● pfSense Blog moved to Netgate:
– https://www.netgate.com/blog/
– Primary reason was so we could get rid of WordPress, due to security concerns
– Now uses a static site generated by Jekyll
● Coreboot (“BIOS”) upgrade for many SG-device owners (2220, 2440, 4860, 8860, XG-2758)
– If you purchased one of these devices, you should have received an e-mail about the update
– Workaround for Intel C2000 Errata AVR.58
● Disables SERIRQ to prevent indeterminate interrupt behavior for systems that do not have external pull up resistor on SERIRQ PIN.
– A package is now available to handle it automatically (install via System > Package Manager)
● Training in Europe – https://netgate.com/training/
– Will include a preview of our upcoming remote device management platform
– Paris, FR - 21-22 Sep, 2017
– London, UK - 27-28 Sep, 2017
– Frankfurt, DE - 4-5 Oct, 2017
– Saint Petersburg, RU - 11-12 Oct, 2017
● Documentation for Let’s Encrypt ACME package
– https://doc.pfsense.org/index.php/ACME_package
About this Hangout
● Components of a High Availability Cluster
● Prerequisites
● Configuration of a cluster from default config
● Testing
● Troubleshooting
● Upgrading
Cluster Overview
Internet
WAN Switch
LAN Switch
Sync Interface
WAN
198.51.100.201
2001:db8::201
WAN
198.51.100.202
2001:db8::202
Shared WAN CARP IP
198.51.100.200
2001:db8::200
LAN
192.168.1.2
2001:db8:1::2
LAN
192.168.1.3
2001:db8:1::3
Shared LAN CARP IP
192.168.1.1
2001:db8:1::1
172.16.1.2
2001:db8:1:1::2
172.16.1.3
2001:db8:1:1::3
Primary Secondary
Internet
WAN Switch
LAN Switch
WAN HA IP Address
198.51.100.200
2001:db8::200
LAN HA IP Address
192.168.1.1
2001:db8:1::1
Cluster
Actual Layout Logical Layout
HA Components
● Logically, the two nodes become a single unit
from the perspective of the network
● IP Address Redundancy (CARP)
– Traffic to/from cluster should use VIP addresses
● Configuration Sync (XMLRPC)
– Keeps the node configurations similar
● State Sync (pfsync)
– Shares state information between all nodes
IP Address Redundancy (CARP)
●
CARP VIPs are shared between cluster nodes
●
Works similar to VRRP, can conflict with VRRP/HSRP
●
Heartbeats transmitted on all interfaces containing CARP VIPs (NOT SYNC IF!)
– Approx. 1 per second (base) + fraction (1/256th) of a sec (skew)
– If a secondary node stops receiving heartbeats or they are too slow, it will take over as master
– Skew adds time/slowness, secondary must use a higher skew (e.g. 100) than the primary (e.g. 0)
– Active/Passive only, no Active/Active
●
Traffic to cluster must route to CARP VIP address(es)
– Routed inbound traffic, VPNs, port forwards, local gateway, DNS
– Exceptions
●
Only access firewall GUI/SSH by interface IP addresses, not VIP!
●
Monitoring systems can check each node individually
●
Traffic from cluster should originate from CARP VIPs
– Outbound NAT, VPNs
●
If an interface containing a VIP loses link, that node will automatically demote itself due to the
problem (temporarily adds 240 to the skew)
●
On pfSense, preemptive failover is enabled by default so if an interface triggers a demotion, all
VIPs are demoted to trigger a complete failover
Configuration Sync (XMLRPC)
● Communicates via the Sync interface
● Copies some settings from primary to secondary on
save
● Does not sync interfaces or System > Advanced,
System > General, or most packages.
● Will sync rules, NAT, aliases, VPNs, many other
areas
● Not strictly required for HA, but makes the job much
easier
State Sync (pfsync)
● Communicates via the Sync interface
● State inserts, deletes, and updates exchanged between nodes
● State table on both nodes should be identical (or nearly so)
● If-bound states mean physical interface assignments must be identical
(or LAGGs to mask differences)
● When primary fails, connections continue to flow through secondary
since the state is already present
● Requires use of CARP VIPs with NAT, no traffic direct to/from node
● HA can work without it, but connections will be disrupted during
failover
● Not currently compatible with Limiters
Assumptions
● Two firewalls running pfSense software
– Could use more, but that isn't covered here and does not offer a
significant advantage
● Firewalls are at (or near) a default configuration
– Conversion to HA from an existing install is possible, but can be
tricky. See the July 2016 hangout for details
● Firewalls have identical interfaces assigned in identical order
● Firewalls have a non-conflicting configuration
– Different IP addresses in the same networks
– DHCP off on secondary until it is properly configured for HA
Pick a Sync Interface
● One interface will interconnect between units for XMLRPC and
pfsync traffic
● Name it the “Sync” interface
● Do not name it a “CARP interface”, no CARP/heartbeat traffic on it,
it does not factor into failover directly!
● Can consume a significant amount of bandwidth for state
synchronization, especially in environments with lots of state churn
● Technically optional but highly recommended
– If no physical interface is available, use a VLAN
– If no VLAN is possible, it could share a secure internal interface, but that
can still be dangerous/insecure
● pfsync has no authentication, any device on the segment could insert state data
Interface Assignments
● Nodes must have the same number of interfaces and they must be
assigned in identical order.
● The order of interfaces on Interfaces > Assignments must be
identical!
● For state synchronization to work, interfaces must be the same type
as well (e.g. igbX, emX, etc)
– If that is not possible, interfaces could be added to LAGG instances so the
assigned interfaces can match (e.g. lagg0 on both, rather than igb0 and em0)
● If the interface order does not match…
– Areas such as firewall rules will appear to sync to the “wrong” interface on
other nodes
– Rules or other settings might “disappear” or otherwise break/misbehave
(really ending up on the wrong interface)
IP Address Requirements
●
CARP requires a static IP address WAN for full functionality
– DHCP or PPPoE WAN may work in some cases, but not seamless failover
– For IPv6, static addressing is a hard requirement; DHCPv6 is not feasible
●
Ideally, three IP addresses per subnet per address family (except Sync)
– One IP address of each family type per node (e.g. one IPv4, one IPv6), plus at least one CARP VIP or each family
for each interface
– Each WAN should be a /29 or larger for IPv4, a standard IPv6 /64 is sufficient, but no smaller than 126
– Sync interface has no CARP and thus does not need an additional IP address, can be IPv4 only
●
Single IPv4 address CARP is possible but not generally recommended
– For WANs, it means only the active master may communicate out for gateway monitoring, updates, package
installs, etc.
●
OK for secondary or additional WANs so long as the firewalls do not need to reach outbound individually on that circuit
● If only an IPv4 /30 is possible on WAN, feel free to use it (with the above caveats)
– LANs generally do not have IP address shortages so it can work there, but could break DHCP failover
● All nodes MUST connect to the all WANs identically, it is not feasible to have the primary on one ISP
and the secondary on a different ISP
– See the July 2016 hangout for Multi-WAN HA
●
Reminder: IPv6 clusters must have separate routed subnets for each interface
– Local subnets can all be under one larger subnet (e.g. LAN, DMZ, etc all under a /60 routed in via WAN)
Check VHID/VRID Usage
● CARP/VRRP/HSRP use similar mechanisms
● MAC address of CARP VIP is determined by VHID
– 00:00:5e:00:01:<VHID in hex>
– See
https://docs.google.com/spreadsheets/d/17CqR6iAAXHXfU0h4uatzuY0w7k0ijy22dES6
joLdTL0/edit?usp=sharing
● Overlapping IDs will cause MAC conflicts among other issues
● To find if any are in use...
– Diag > Packet Capture, set Protocol to CARP
– Capture for several seconds minimum
– If any packets are observed, check VHID/VRID (may need to load capture in
Wireshark)
– Note the used ID(s) and avoid using them with CARP VIPs
Basic Setup Pre-requisites
●
Give each node a unique hostname
– Ex: fw-a/fw-b, fw-pri/fw-sec, fw-1/fw-2
●
Adjust IP addresses on each node so they do not directly conflict
– Ex: Primary LAN to 192.168.1.2, Secondary to .3
●
DHCP Must be disabled on the secondary until it is configured for HA
●
GUI must be running same protocol and port on both nodes
– Ex: HTTPS on port 443
●
The sync account (e.g. admin) cannot be disabled and must have the same password on
both nodes
– On 2.4, any user can be used for synchronization, provided it has the “System - HA node sync”
privilege
●
Both nodes must have a static IP address WAN configured in the same WAN subnet with a
proper gateway and so on
●
Both nodes must have DNS configured properly either using the DNS Resolver with
forwarding disabled, or by having DNS servers set under System > General Setup
Switch Setup
●
CARP uses multicast, so the switch cannot block, filter, limit, or otherwise
interfere with multicast
– IGMP snooping on some switches can conflict and may need to be disabled
● Nearly all CARP status problems, such as dual master scenarios, are due to
switch or other layer 2 issues
● The switch must, at least:
– Allow Multicast traffic to be sent and received by the firewall without interference on
ports using CARP VIPs.
– Allow traffic to be sent and received by the firewall using multiple MAC addresses
– Allow the CARP VIP MAC address to move between ports
●
Virtual/Hypervisor switches often have issues with one or more of the above
and require adjustments such as enabling Promiscuous Mode, Forged
Transmits, and allowing MAC address changes
Configuration!
● Reminder: Keep secondary disconnected from any network until it has a basic
non-conflicting interface configuration
– Otherwise it could cause problems with DHCP, IP address conflicts, etc.
● Setup Sync interface
● Configure pfsync
● Configure XMLRPC
● Add CARP VIPs
● Setup Manual Outbound NAT
● Setup DHCP
● Setup DHCPv6 / Router Advertisements
● VPNs, other services
● Adding more Interfaces
Setup Sync Interface
● Interface config
– Enable the interface, name it Sync
– Set for a static IPv4 address in the chosen sync subnet
● Ex: Primary as 172.16.1.2/24, secondary as .3
– IPv6 is optional here, can be used for XMLRPC sync
– Do not check Block Private Networks or Bogons
● Add firewall rules for sync
– On Primary:
● Add rule to pass TCP/443 to on the Sync address for GUI
● Add rule to pass pfsync from Sync net to any.
● Optionally add a rule to pass ICMP echoreq to/from Sync net
– On Secondary:
● Add rule to pass any protocol from Sync net to any
● Rule is different so it's obvious when it has been replaced by XMLRPC sync!
Configure pfsync
● Enable on BOTH nodes!
● Navigate to System > High Avail Sync
● State Synchronization Settings (pfsync) section
● Check Synchronize States
● Set Synchronize Interface to Sync
● Set the pfsync Synchronize Peer IP to the IP address of the other
node
– Ex: On the Primary, enter the IP address of the secondary, 172.16.1.3, and
vice versa.
– Technically this setting is optional. Without it set, state sync is sent via
multicast rather than unicast. With only two nodes, unicast is more reliable
● Click Save
Configure XMLRPC
● Enable only on the Primary node!
● Navigate to System > High Avail Sync
● Configuration Synchronization Settings (XMLRPC Sync) section
● Set Synchronize Config to IP to the Sync interface IP address on the secondary node
(e.g. 172.16.1.3)
● Set Remote System Username to admin
– On 2.4+, any user will work so long as they are admin or have the “System - HA node sync” privilege
● Note that this account MUST exist on the secondary for sync to function! It is easier to use admin for now and
change it after.
– On 2.3.x and earlier, admin is the only user that will work
● Set Remote System Password to the sync account password
● Check the boxes for each area to synchronize
● Click Save
● On the secondary, check and see if the rule changes on the Sync interface carried over
● From here on, do not make any changes on the secondary in an area that will sync!
Add CARP VIPs
● Navigate to Firewall > Virtual IPs on Primary node
● Add a CARP type VIP for each interface except Sync
● Skew on primary should be 0/1, secondary will end up higher via XMLRPC sync which adjusts the skew
when copying
● Example:
– WAN CARP VIP 198.51.100.200/24, VHID Group 200, random password/confirm, Base=1, Skew=0
– LAN CARP VIP 192.168.1.1/24, VHID=1, random password/confirm, Base=1, Skew=0
– Subnet mask must match the interface subnet!
● If a VIP is sensitive to latency (e.g. Secondary is in another building), try moving Base up by 1 until stability
is achieved
● Check Status > CARP
– If CARP shows disabled on either node, enable it
– Primary should show MASTER, Secondary BACKUP
● Repeat for more VIPs as needed
● If there will be many VIPs in a single interface + subnet, use IP alias VIPs w/CARP VIP as their parent
interface
– Reduces CARP advertisements, and they switch as a group instead of individually
●
Do NOT add CARP VIPs to interfaces that will be down/disabled! This will cause the firewall to demote
itself, believing it has a problem.
Setup NAT
●
Navigate to Firewall > NAT, Outbound tab on Primary node
●
Change Mode to Manual or Hybrid
●
In hybrid mode:
– Add new rules to translate from LAN(s) source
– Set the Translation to the CARP WAN VIP
●
In manual mode:
– Edit each rule for a local interface (e.g. LAN)
– Set the Translation to the CARP WAN VIP
●
DO NOT SET A SOURCE OF “ANY” on the NAT rules!
●
An RFC1918 alias helps here for source (192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8)
●
After adding/editing all rules, click Apply Changes
●
If/when additional interfaces are added in the future, rules must be added manually!
●
Add port forwards, 1:1 NAT if needed. May need more WAN VIPs if using multiple IP
addresses
Setup DHCP (IPv4)
● Navigate to Services > DHCP Server, LAN tab on Primary
● Set DNS Server to the LAN CARP VIP
● Set Gateway to the LAN CARP VIP
● Set the Failover Peer IP to the actual LAN IP address of the
secondary node, e.g. 192.168.1.3
● Click Save
● Repeat for additional local interfaces if necessary
● Gateway must be the CARP VIP, DNS if using the firewall for DNS
also
● Navigate to Status > DHCP Leases, check pool status, should be
“normal”/”normal”
Setup DHCPv6 / RA
● DHCPv6 has no concept of failover, so setup is tricky
– DHCPv6 & RA settings will not sync due to this
– There is no formal spec/RFC yet, only a draft with no implementation
● Navigate to Services > DHCPv6 Server & RA on Primary node
● Two main options:
– Set RA to Unmanaged (SLAAC) and let clients determine their own addresses
– Set RA to Managed + DHCPv6 independently using separate local pools
● e.g. Pri: x:x:x:x::1:0000-x:x:x:x::1:FFFF / Sec: x:x:x:x::2:0000-x:x:x:x::2:FFFF
● Gateway is handled by router advertisements, two choices there as well
– On both, bind to CARP VIP, use Normal router priority
● radvd will start/stop with CARP status (preferred method)
– Bind to LAN, set primary to High priority, set secondary to Low
● Set DNS to LAN CARP VIP in RA and DHCPv6 (if used)
VPNs, Additional Interfaces
● If the firewalls are using the default DNS (DNS Resolver, Unbound) you must visit Services > DNS
Resolver and press Save at least once, otherwise local clients cannot use the CARP VIP for DNS
resolution.
● For VPNs and other local services, if they require binding to only one IP address, set the Interface to a
CARP VIP (e.g. IPsec, OpenVPN)
● Support in packages varies but some have support for CARP VIPs, XMLRPC, or CARP status detection
● ACME package
– Install it only on the primary
– Make a cert with SAN entries for both hosts individually and the CARP VIP all in a single cert
– Cert will sync to secondary automatically via XMLRPC since certificates already sync
● When adding a new local interface:
– Assign the interface on both nodes identically
– Enable the interface on both nodes, using different IP addresses within the same subnet
– Add a CARP VIP inside the new subnet (Primary node only)
– Add firewall rules (Primary node only)
– Add Manual Outbound NAT for a source of the new subnet, utilizing the CARP VIP for translation (Primary node
only)
– Configure the DHCP/DHCPv6/RA server for the new subnet, utilizing the CARP VIP for DNS and Gateway roles
(Optional, Primary node only)
Testing
● Verify that a client on the LAN can pass through the cluster (ping / browse to Internet host)
● Verify XMLRPC by checking if a setting syncs, and via Status > Filter Reload, Force Config
Sync
●
Verify CARP by checking Status > CARP
– If any VIPs show as INIT, then an interface is down. Fix the interface or remove the VIP.
– Don’t be tempted by the “Reset Demotion Factor” button, it’s not a permanent fix.
●
Verify state sync by checking pfsync nodes on Status > CARP and contents of Diag > States
● Testing Failover:
– Status > CARP, enter maintenance mode or disable CARP on primary
– Check status on secondary, should now be MASTER
– Test LAN client connectivity, DHCP, etc
– Enable CARP on Primary
– Retest connectivity
● Downloading a file, streaming audio, or streaming video will most likely continue uninterrupted.
VoIP-based phone calls may have a slight disruption as they are not buffered like the others.
Troubleshooting
● Review the config
● Check CARP status, if VIP is INIT, check interface link, edit/save/apply VIP
● Check for conflicting VHIDs
● Check subnet mask on CARP VIPs
● Switch/L2 issues
– Ensure boxes are on the correct switch/VLAN/L2
– Try to ping between the nodes on the affected interface
– Ensure switches are properly trunking, if applicable
– Try another switch (especially if using a modem/CPE switch)
– Disable IGMP snooping, broadcast/multicast storm control, etc.
– For vswitches, check promiscuous mode, forged transmits, MAC changes
● Check system logs, firewall logs, notices
Upgrading
●
Review changelog/blog/upgrade guide
– https://doc.pfsense.org/index.php/Upgrade_Guide
– https://doc.pfsense.org/index.php/Redundant_Firewalls_Upgrade_Guide
●
Take a backup
– Cannot stress this enough
● If the cluster is running an older (2.2.x or before) version, disable XMLRPC on primary
●
Upgrade secondary
● Check secondary
– Check logs, status pages, and so on to ensure everything looks OK
●
Switch CARP to maintenance mode on primary (sticks across reboots)
● Test secondary, ensure proper connectivity and service function
– If something fails, simply switch out of maintenance mode on the primary then repair the secondary
●
Upgrade primary
● Exit maintenance mode on primary
● Test again
●
If XMLRPC was disabled, enable it again, then test sync
Conclusion
● July 2016 hangout in the archive has some
advanced HA topics:
– Multi-WAN with HA
– Converting an existing single firewall to HA cluster
● For IPv6 basics, see the July 2015 hangout
● Questions?
● Ideas for hangout topics? Post on forum,
comment on the blog posts, Reddit, etc

More Related Content

What's hot

Nfs
NfsNfs
OVS Hardware Offload with TC Flower
OVS Hardware Offload with TC FlowerOVS Hardware Offload with TC Flower
OVS Hardware Offload with TC Flower
Netronome
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Jian-Hong Pan
 
Linux-HA with Pacemaker
Linux-HA with PacemakerLinux-HA with Pacemaker
Linux-HA with Pacemaker
Kris Buytaert
 
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Netgate
 
A crash course in CRUSH
A crash course in CRUSHA crash course in CRUSH
A crash course in CRUSH
Sage Weil
 
VMware vSphere 6.0 - Troubleshooting Training - Day 1
VMware vSphere 6.0 - Troubleshooting Training - Day 1VMware vSphere 6.0 - Troubleshooting Training - Day 1
VMware vSphere 6.0 - Troubleshooting Training - Day 1
Sanjeev Kumar
 
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Vietnam Open Infrastructure User Group
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to Ansible
Knoldus Inc.
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
Adrien Mahieux
 
Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016
Netgate
 
nl80211 and libnl
nl80211 and libnlnl80211 and libnl
nl80211 and libnl
awkman
 
Meshing OpenStack and Bare Metal Networks with EVPN - David Iles, Mellanox Te...
Meshing OpenStack and Bare Metal Networks with EVPN - David Iles, Mellanox Te...Meshing OpenStack and Bare Metal Networks with EVPN - David Iles, Mellanox Te...
Meshing OpenStack and Bare Metal Networks with EVPN - David Iles, Mellanox Te...
OpenStack
 
Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...
Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...
Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...
xKinAnx
 
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Netgate
 
05.2 virtio introduction
05.2 virtio introduction05.2 virtio introduction
05.2 virtio introduction
zenixls2
 
OpenStack概要 ~仮想ネットワーク~
OpenStack概要 ~仮想ネットワーク~OpenStack概要 ~仮想ネットワーク~
OpenStack概要 ~仮想ネットワーク~
Masaya Aoyama
 
Collect distributed application logging using fluentd (EFK stack)
Collect distributed application logging using fluentd (EFK stack)Collect distributed application logging using fluentd (EFK stack)
Collect distributed application logging using fluentd (EFK stack)
Marco Pas
 
Hardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ ProcessorsHardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ Processors
The Linux Foundation
 
OpenNebula Networking - Rubén S. Montero
OpenNebula Networking - Rubén S. MonteroOpenNebula Networking - Rubén S. Montero
OpenNebula Networking - Rubén S. Montero
OpenNebula Project
 

What's hot (20)

Nfs
NfsNfs
Nfs
 
OVS Hardware Offload with TC Flower
OVS Hardware Offload with TC FlowerOVS Hardware Offload with TC Flower
OVS Hardware Offload with TC Flower
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021
 
Linux-HA with Pacemaker
Linux-HA with PacemakerLinux-HA with Pacemaker
Linux-HA with Pacemaker
 
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
 
A crash course in CRUSH
A crash course in CRUSHA crash course in CRUSH
A crash course in CRUSH
 
VMware vSphere 6.0 - Troubleshooting Training - Day 1
VMware vSphere 6.0 - Troubleshooting Training - Day 1VMware vSphere 6.0 - Troubleshooting Training - Day 1
VMware vSphere 6.0 - Troubleshooting Training - Day 1
 
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to Ansible
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 
Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016
 
nl80211 and libnl
nl80211 and libnlnl80211 and libnl
nl80211 and libnl
 
Meshing OpenStack and Bare Metal Networks with EVPN - David Iles, Mellanox Te...
Meshing OpenStack and Bare Metal Networks with EVPN - David Iles, Mellanox Te...Meshing OpenStack and Bare Metal Networks with EVPN - David Iles, Mellanox Te...
Meshing OpenStack and Bare Metal Networks with EVPN - David Iles, Mellanox Te...
 
Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...
Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...
Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...
 
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
 
05.2 virtio introduction
05.2 virtio introduction05.2 virtio introduction
05.2 virtio introduction
 
OpenStack概要 ~仮想ネットワーク~
OpenStack概要 ~仮想ネットワーク~OpenStack概要 ~仮想ネットワーク~
OpenStack概要 ~仮想ネットワーク~
 
Collect distributed application logging using fluentd (EFK stack)
Collect distributed application logging using fluentd (EFK stack)Collect distributed application logging using fluentd (EFK stack)
Collect distributed application logging using fluentd (EFK stack)
 
Hardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ ProcessorsHardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ Processors
 
OpenNebula Networking - Rubén S. Montero
OpenNebula Networking - Rubén S. MonteroOpenNebula Networking - Rubén S. Montero
OpenNebula Networking - Rubén S. Montero
 

Similar to High Availability on pfSense 2.4 - pfSense Hangout March 2017

Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
Netgate
 
NAT on pfSense 2.3 - pfSense Hangout May 2016
NAT on pfSense 2.3 - pfSense Hangout May 2016NAT on pfSense 2.3 - pfSense Hangout May 2016
NAT on pfSense 2.3 - pfSense Hangout May 2016
Netgate
 
pfSense 2.2 Preview - pfSense Hangout November 2014
pfSense 2.2 Preview - pfSense Hangout November 2014pfSense 2.2 Preview - pfSense Hangout November 2014
pfSense 2.2 Preview - pfSense Hangout November 2014
Netgate
 
Site-to-Site VPNs - pfSense Hangout November 2015
Site-to-Site VPNs - pfSense Hangout November 2015Site-to-Site VPNs - pfSense Hangout November 2015
Site-to-Site VPNs - pfSense Hangout November 2015
Netgate
 
Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017
Netgate
 
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Netgate
 
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
Netgate
 
There and back again
There and back againThere and back again
There and back again
Jon Spriggs
 
Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016
Netgate
 
Advanced OpenVPN Concepts - pfSense Hangout September 2014
Advanced OpenVPN Concepts - pfSense Hangout September 2014Advanced OpenVPN Concepts - pfSense Hangout September 2014
Advanced OpenVPN Concepts - pfSense Hangout September 2014
Netgate
 
At8000 s configurando trunking
At8000 s configurando trunkingAt8000 s configurando trunking
At8000 s configurando trunking
NetPlus
 
Alix to APU Conversion - pfSense Hangout October 2014
Alix to APU Conversion - pfSense Hangout October 2014Alix to APU Conversion - pfSense Hangout October 2014
Alix to APU Conversion - pfSense Hangout October 2014
Netgate
 
ASA Failover
ASA FailoverASA Failover
ASA Failover
NetProtocol Xpert
 
Creating a DMZ - pfSense Hangout January 2016
Creating a DMZ - pfSense Hangout January 2016Creating a DMZ - pfSense Hangout January 2016
Creating a DMZ - pfSense Hangout January 2016
Netgate
 
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Netgate
 
Networking Fundamentals
Networking FundamentalsNetworking Fundamentals
Networking Fundamentals
Gayathri Kesavan
 
66 pfsense tutorial
66 pfsense tutorial66 pfsense tutorial
66 pfsense tutorial
equinonesr
 
OpenVPN as a WAN - pfSense Hangout October 2016
OpenVPN as a WAN - pfSense Hangout October 2016OpenVPN as a WAN - pfSense Hangout October 2016
OpenVPN as a WAN - pfSense Hangout October 2016
Netgate
 
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Netgate
 
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
Netgate
 

Similar to High Availability on pfSense 2.4 - pfSense Hangout March 2017 (20)

Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
 
NAT on pfSense 2.3 - pfSense Hangout May 2016
NAT on pfSense 2.3 - pfSense Hangout May 2016NAT on pfSense 2.3 - pfSense Hangout May 2016
NAT on pfSense 2.3 - pfSense Hangout May 2016
 
pfSense 2.2 Preview - pfSense Hangout November 2014
pfSense 2.2 Preview - pfSense Hangout November 2014pfSense 2.2 Preview - pfSense Hangout November 2014
pfSense 2.2 Preview - pfSense Hangout November 2014
 
Site-to-Site VPNs - pfSense Hangout November 2015
Site-to-Site VPNs - pfSense Hangout November 2015Site-to-Site VPNs - pfSense Hangout November 2015
Site-to-Site VPNs - pfSense Hangout November 2015
 
Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017
 
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
 
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
 
There and back again
There and back againThere and back again
There and back again
 
Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016
 
Advanced OpenVPN Concepts - pfSense Hangout September 2014
Advanced OpenVPN Concepts - pfSense Hangout September 2014Advanced OpenVPN Concepts - pfSense Hangout September 2014
Advanced OpenVPN Concepts - pfSense Hangout September 2014
 
At8000 s configurando trunking
At8000 s configurando trunkingAt8000 s configurando trunking
At8000 s configurando trunking
 
Alix to APU Conversion - pfSense Hangout October 2014
Alix to APU Conversion - pfSense Hangout October 2014Alix to APU Conversion - pfSense Hangout October 2014
Alix to APU Conversion - pfSense Hangout October 2014
 
ASA Failover
ASA FailoverASA Failover
ASA Failover
 
Creating a DMZ - pfSense Hangout January 2016
Creating a DMZ - pfSense Hangout January 2016Creating a DMZ - pfSense Hangout January 2016
Creating a DMZ - pfSense Hangout January 2016
 
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
 
Networking Fundamentals
Networking FundamentalsNetworking Fundamentals
Networking Fundamentals
 
66 pfsense tutorial
66 pfsense tutorial66 pfsense tutorial
66 pfsense tutorial
 
OpenVPN as a WAN - pfSense Hangout October 2016
OpenVPN as a WAN - pfSense Hangout October 2016OpenVPN as a WAN - pfSense Hangout October 2016
OpenVPN as a WAN - pfSense Hangout October 2016
 
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
 
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
 

More from Netgate

Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...
Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...
Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...
Netgate
 
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
Netgate
 
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
Netgate
 
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
Netgate
 
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Netgate
 
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Netgate
 
Advanced Captive Portal - pfSense Hangout June 2017
Advanced Captive Portal - pfSense Hangout June 2017Advanced Captive Portal - pfSense Hangout June 2017
Advanced Captive Portal - pfSense Hangout June 2017
Netgate
 
Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017
Netgate
 
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Netgate
 
Console Menu - pfSense Hangout December 2016
Console Menu - pfSense Hangout December 2016Console Menu - pfSense Hangout December 2016
Console Menu - pfSense Hangout December 2016
Netgate
 
pfSense 2.3 Preview - pfSense Hangout December 2015
pfSense 2.3 Preview - pfSense Hangout December 2015pfSense 2.3 Preview - pfSense Hangout December 2015
pfSense 2.3 Preview - pfSense Hangout December 2015
Netgate
 
Remote Access VPNs Part 2 - pfSense Hangout October 2015
Remote Access VPNs Part 2 - pfSense Hangout October 2015Remote Access VPNs Part 2 - pfSense Hangout October 2015
Remote Access VPNs Part 2 - pfSense Hangout October 2015
Netgate
 

More from Netgate (12)

Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...
Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...
Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...
 
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
 
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
 
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
 
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
 
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
 
Advanced Captive Portal - pfSense Hangout June 2017
Advanced Captive Portal - pfSense Hangout June 2017Advanced Captive Portal - pfSense Hangout June 2017
Advanced Captive Portal - pfSense Hangout June 2017
 
Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017
 
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
 
Console Menu - pfSense Hangout December 2016
Console Menu - pfSense Hangout December 2016Console Menu - pfSense Hangout December 2016
Console Menu - pfSense Hangout December 2016
 
pfSense 2.3 Preview - pfSense Hangout December 2015
pfSense 2.3 Preview - pfSense Hangout December 2015pfSense 2.3 Preview - pfSense Hangout December 2015
pfSense 2.3 Preview - pfSense Hangout December 2015
 
Remote Access VPNs Part 2 - pfSense Hangout October 2015
Remote Access VPNs Part 2 - pfSense Hangout October 2015Remote Access VPNs Part 2 - pfSense Hangout October 2015
Remote Access VPNs Part 2 - pfSense Hangout October 2015
 

Recently uploaded

Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
HarpalGohil4
 
Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!
Ortus Solutions, Corp
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
AlexanderRichford
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Ukraine
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
Tobias Schneck
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Fwdays
 
Discover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched ContentDiscover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched Content
ScyllaDB
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
leebarnesutopia
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 

Recently uploaded (20)

Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
 
Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
 
Discover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched ContentDiscover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched Content
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 

High Availability on pfSense 2.4 - pfSense Hangout March 2017

  • 1. High Availability Using CARP, XMLRPC, and pfsync On pfSense 2.3/2.4 March 2017 Hangout Jim Pingle
  • 2. Project News ● pfSense 2.3.3-p1 is out! – A few beneficial improvements, security updates (OpenSSL, cURL) – https://www.netgate.com/blog/pfsense-2-3-3-p1-release-now-available.html ● pfSense Blog moved to Netgate: – https://www.netgate.com/blog/ – Primary reason was so we could get rid of WordPress, due to security concerns – Now uses a static site generated by Jekyll ● Coreboot (“BIOS”) upgrade for many SG-device owners (2220, 2440, 4860, 8860, XG-2758) – If you purchased one of these devices, you should have received an e-mail about the update – Workaround for Intel C2000 Errata AVR.58 ● Disables SERIRQ to prevent indeterminate interrupt behavior for systems that do not have external pull up resistor on SERIRQ PIN. – A package is now available to handle it automatically (install via System > Package Manager) ● Training in Europe – https://netgate.com/training/ – Will include a preview of our upcoming remote device management platform – Paris, FR - 21-22 Sep, 2017 – London, UK - 27-28 Sep, 2017 – Frankfurt, DE - 4-5 Oct, 2017 – Saint Petersburg, RU - 11-12 Oct, 2017 ● Documentation for Let’s Encrypt ACME package – https://doc.pfsense.org/index.php/ACME_package
  • 3. About this Hangout ● Components of a High Availability Cluster ● Prerequisites ● Configuration of a cluster from default config ● Testing ● Troubleshooting ● Upgrading
  • 4. Cluster Overview Internet WAN Switch LAN Switch Sync Interface WAN 198.51.100.201 2001:db8::201 WAN 198.51.100.202 2001:db8::202 Shared WAN CARP IP 198.51.100.200 2001:db8::200 LAN 192.168.1.2 2001:db8:1::2 LAN 192.168.1.3 2001:db8:1::3 Shared LAN CARP IP 192.168.1.1 2001:db8:1::1 172.16.1.2 2001:db8:1:1::2 172.16.1.3 2001:db8:1:1::3 Primary Secondary Internet WAN Switch LAN Switch WAN HA IP Address 198.51.100.200 2001:db8::200 LAN HA IP Address 192.168.1.1 2001:db8:1::1 Cluster Actual Layout Logical Layout
  • 5. HA Components ● Logically, the two nodes become a single unit from the perspective of the network ● IP Address Redundancy (CARP) – Traffic to/from cluster should use VIP addresses ● Configuration Sync (XMLRPC) – Keeps the node configurations similar ● State Sync (pfsync) – Shares state information between all nodes
  • 6. IP Address Redundancy (CARP) ● CARP VIPs are shared between cluster nodes ● Works similar to VRRP, can conflict with VRRP/HSRP ● Heartbeats transmitted on all interfaces containing CARP VIPs (NOT SYNC IF!) – Approx. 1 per second (base) + fraction (1/256th) of a sec (skew) – If a secondary node stops receiving heartbeats or they are too slow, it will take over as master – Skew adds time/slowness, secondary must use a higher skew (e.g. 100) than the primary (e.g. 0) – Active/Passive only, no Active/Active ● Traffic to cluster must route to CARP VIP address(es) – Routed inbound traffic, VPNs, port forwards, local gateway, DNS – Exceptions ● Only access firewall GUI/SSH by interface IP addresses, not VIP! ● Monitoring systems can check each node individually ● Traffic from cluster should originate from CARP VIPs – Outbound NAT, VPNs ● If an interface containing a VIP loses link, that node will automatically demote itself due to the problem (temporarily adds 240 to the skew) ● On pfSense, preemptive failover is enabled by default so if an interface triggers a demotion, all VIPs are demoted to trigger a complete failover
  • 7. Configuration Sync (XMLRPC) ● Communicates via the Sync interface ● Copies some settings from primary to secondary on save ● Does not sync interfaces or System > Advanced, System > General, or most packages. ● Will sync rules, NAT, aliases, VPNs, many other areas ● Not strictly required for HA, but makes the job much easier
  • 8. State Sync (pfsync) ● Communicates via the Sync interface ● State inserts, deletes, and updates exchanged between nodes ● State table on both nodes should be identical (or nearly so) ● If-bound states mean physical interface assignments must be identical (or LAGGs to mask differences) ● When primary fails, connections continue to flow through secondary since the state is already present ● Requires use of CARP VIPs with NAT, no traffic direct to/from node ● HA can work without it, but connections will be disrupted during failover ● Not currently compatible with Limiters
  • 9. Assumptions ● Two firewalls running pfSense software – Could use more, but that isn't covered here and does not offer a significant advantage ● Firewalls are at (or near) a default configuration – Conversion to HA from an existing install is possible, but can be tricky. See the July 2016 hangout for details ● Firewalls have identical interfaces assigned in identical order ● Firewalls have a non-conflicting configuration – Different IP addresses in the same networks – DHCP off on secondary until it is properly configured for HA
  • 10. Pick a Sync Interface ● One interface will interconnect between units for XMLRPC and pfsync traffic ● Name it the “Sync” interface ● Do not name it a “CARP interface”, no CARP/heartbeat traffic on it, it does not factor into failover directly! ● Can consume a significant amount of bandwidth for state synchronization, especially in environments with lots of state churn ● Technically optional but highly recommended – If no physical interface is available, use a VLAN – If no VLAN is possible, it could share a secure internal interface, but that can still be dangerous/insecure ● pfsync has no authentication, any device on the segment could insert state data
  • 11. Interface Assignments ● Nodes must have the same number of interfaces and they must be assigned in identical order. ● The order of interfaces on Interfaces > Assignments must be identical! ● For state synchronization to work, interfaces must be the same type as well (e.g. igbX, emX, etc) – If that is not possible, interfaces could be added to LAGG instances so the assigned interfaces can match (e.g. lagg0 on both, rather than igb0 and em0) ● If the interface order does not match… – Areas such as firewall rules will appear to sync to the “wrong” interface on other nodes – Rules or other settings might “disappear” or otherwise break/misbehave (really ending up on the wrong interface)
  • 12. IP Address Requirements ● CARP requires a static IP address WAN for full functionality – DHCP or PPPoE WAN may work in some cases, but not seamless failover – For IPv6, static addressing is a hard requirement; DHCPv6 is not feasible ● Ideally, three IP addresses per subnet per address family (except Sync) – One IP address of each family type per node (e.g. one IPv4, one IPv6), plus at least one CARP VIP or each family for each interface – Each WAN should be a /29 or larger for IPv4, a standard IPv6 /64 is sufficient, but no smaller than 126 – Sync interface has no CARP and thus does not need an additional IP address, can be IPv4 only ● Single IPv4 address CARP is possible but not generally recommended – For WANs, it means only the active master may communicate out for gateway monitoring, updates, package installs, etc. ● OK for secondary or additional WANs so long as the firewalls do not need to reach outbound individually on that circuit ● If only an IPv4 /30 is possible on WAN, feel free to use it (with the above caveats) – LANs generally do not have IP address shortages so it can work there, but could break DHCP failover ● All nodes MUST connect to the all WANs identically, it is not feasible to have the primary on one ISP and the secondary on a different ISP – See the July 2016 hangout for Multi-WAN HA ● Reminder: IPv6 clusters must have separate routed subnets for each interface – Local subnets can all be under one larger subnet (e.g. LAN, DMZ, etc all under a /60 routed in via WAN)
  • 13. Check VHID/VRID Usage ● CARP/VRRP/HSRP use similar mechanisms ● MAC address of CARP VIP is determined by VHID – 00:00:5e:00:01:<VHID in hex> – See https://docs.google.com/spreadsheets/d/17CqR6iAAXHXfU0h4uatzuY0w7k0ijy22dES6 joLdTL0/edit?usp=sharing ● Overlapping IDs will cause MAC conflicts among other issues ● To find if any are in use... – Diag > Packet Capture, set Protocol to CARP – Capture for several seconds minimum – If any packets are observed, check VHID/VRID (may need to load capture in Wireshark) – Note the used ID(s) and avoid using them with CARP VIPs
  • 14. Basic Setup Pre-requisites ● Give each node a unique hostname – Ex: fw-a/fw-b, fw-pri/fw-sec, fw-1/fw-2 ● Adjust IP addresses on each node so they do not directly conflict – Ex: Primary LAN to 192.168.1.2, Secondary to .3 ● DHCP Must be disabled on the secondary until it is configured for HA ● GUI must be running same protocol and port on both nodes – Ex: HTTPS on port 443 ● The sync account (e.g. admin) cannot be disabled and must have the same password on both nodes – On 2.4, any user can be used for synchronization, provided it has the “System - HA node sync” privilege ● Both nodes must have a static IP address WAN configured in the same WAN subnet with a proper gateway and so on ● Both nodes must have DNS configured properly either using the DNS Resolver with forwarding disabled, or by having DNS servers set under System > General Setup
  • 15. Switch Setup ● CARP uses multicast, so the switch cannot block, filter, limit, or otherwise interfere with multicast – IGMP snooping on some switches can conflict and may need to be disabled ● Nearly all CARP status problems, such as dual master scenarios, are due to switch or other layer 2 issues ● The switch must, at least: – Allow Multicast traffic to be sent and received by the firewall without interference on ports using CARP VIPs. – Allow traffic to be sent and received by the firewall using multiple MAC addresses – Allow the CARP VIP MAC address to move between ports ● Virtual/Hypervisor switches often have issues with one or more of the above and require adjustments such as enabling Promiscuous Mode, Forged Transmits, and allowing MAC address changes
  • 16. Configuration! ● Reminder: Keep secondary disconnected from any network until it has a basic non-conflicting interface configuration – Otherwise it could cause problems with DHCP, IP address conflicts, etc. ● Setup Sync interface ● Configure pfsync ● Configure XMLRPC ● Add CARP VIPs ● Setup Manual Outbound NAT ● Setup DHCP ● Setup DHCPv6 / Router Advertisements ● VPNs, other services ● Adding more Interfaces
  • 17. Setup Sync Interface ● Interface config – Enable the interface, name it Sync – Set for a static IPv4 address in the chosen sync subnet ● Ex: Primary as 172.16.1.2/24, secondary as .3 – IPv6 is optional here, can be used for XMLRPC sync – Do not check Block Private Networks or Bogons ● Add firewall rules for sync – On Primary: ● Add rule to pass TCP/443 to on the Sync address for GUI ● Add rule to pass pfsync from Sync net to any. ● Optionally add a rule to pass ICMP echoreq to/from Sync net – On Secondary: ● Add rule to pass any protocol from Sync net to any ● Rule is different so it's obvious when it has been replaced by XMLRPC sync!
  • 18. Configure pfsync ● Enable on BOTH nodes! ● Navigate to System > High Avail Sync ● State Synchronization Settings (pfsync) section ● Check Synchronize States ● Set Synchronize Interface to Sync ● Set the pfsync Synchronize Peer IP to the IP address of the other node – Ex: On the Primary, enter the IP address of the secondary, 172.16.1.3, and vice versa. – Technically this setting is optional. Without it set, state sync is sent via multicast rather than unicast. With only two nodes, unicast is more reliable ● Click Save
  • 19. Configure XMLRPC ● Enable only on the Primary node! ● Navigate to System > High Avail Sync ● Configuration Synchronization Settings (XMLRPC Sync) section ● Set Synchronize Config to IP to the Sync interface IP address on the secondary node (e.g. 172.16.1.3) ● Set Remote System Username to admin – On 2.4+, any user will work so long as they are admin or have the “System - HA node sync” privilege ● Note that this account MUST exist on the secondary for sync to function! It is easier to use admin for now and change it after. – On 2.3.x and earlier, admin is the only user that will work ● Set Remote System Password to the sync account password ● Check the boxes for each area to synchronize ● Click Save ● On the secondary, check and see if the rule changes on the Sync interface carried over ● From here on, do not make any changes on the secondary in an area that will sync!
  • 20. Add CARP VIPs ● Navigate to Firewall > Virtual IPs on Primary node ● Add a CARP type VIP for each interface except Sync ● Skew on primary should be 0/1, secondary will end up higher via XMLRPC sync which adjusts the skew when copying ● Example: – WAN CARP VIP 198.51.100.200/24, VHID Group 200, random password/confirm, Base=1, Skew=0 – LAN CARP VIP 192.168.1.1/24, VHID=1, random password/confirm, Base=1, Skew=0 – Subnet mask must match the interface subnet! ● If a VIP is sensitive to latency (e.g. Secondary is in another building), try moving Base up by 1 until stability is achieved ● Check Status > CARP – If CARP shows disabled on either node, enable it – Primary should show MASTER, Secondary BACKUP ● Repeat for more VIPs as needed ● If there will be many VIPs in a single interface + subnet, use IP alias VIPs w/CARP VIP as their parent interface – Reduces CARP advertisements, and they switch as a group instead of individually ● Do NOT add CARP VIPs to interfaces that will be down/disabled! This will cause the firewall to demote itself, believing it has a problem.
  • 21. Setup NAT ● Navigate to Firewall > NAT, Outbound tab on Primary node ● Change Mode to Manual or Hybrid ● In hybrid mode: – Add new rules to translate from LAN(s) source – Set the Translation to the CARP WAN VIP ● In manual mode: – Edit each rule for a local interface (e.g. LAN) – Set the Translation to the CARP WAN VIP ● DO NOT SET A SOURCE OF “ANY” on the NAT rules! ● An RFC1918 alias helps here for source (192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8) ● After adding/editing all rules, click Apply Changes ● If/when additional interfaces are added in the future, rules must be added manually! ● Add port forwards, 1:1 NAT if needed. May need more WAN VIPs if using multiple IP addresses
  • 22. Setup DHCP (IPv4) ● Navigate to Services > DHCP Server, LAN tab on Primary ● Set DNS Server to the LAN CARP VIP ● Set Gateway to the LAN CARP VIP ● Set the Failover Peer IP to the actual LAN IP address of the secondary node, e.g. 192.168.1.3 ● Click Save ● Repeat for additional local interfaces if necessary ● Gateway must be the CARP VIP, DNS if using the firewall for DNS also ● Navigate to Status > DHCP Leases, check pool status, should be “normal”/”normal”
  • 23. Setup DHCPv6 / RA ● DHCPv6 has no concept of failover, so setup is tricky – DHCPv6 & RA settings will not sync due to this – There is no formal spec/RFC yet, only a draft with no implementation ● Navigate to Services > DHCPv6 Server & RA on Primary node ● Two main options: – Set RA to Unmanaged (SLAAC) and let clients determine their own addresses – Set RA to Managed + DHCPv6 independently using separate local pools ● e.g. Pri: x:x:x:x::1:0000-x:x:x:x::1:FFFF / Sec: x:x:x:x::2:0000-x:x:x:x::2:FFFF ● Gateway is handled by router advertisements, two choices there as well – On both, bind to CARP VIP, use Normal router priority ● radvd will start/stop with CARP status (preferred method) – Bind to LAN, set primary to High priority, set secondary to Low ● Set DNS to LAN CARP VIP in RA and DHCPv6 (if used)
  • 24. VPNs, Additional Interfaces ● If the firewalls are using the default DNS (DNS Resolver, Unbound) you must visit Services > DNS Resolver and press Save at least once, otherwise local clients cannot use the CARP VIP for DNS resolution. ● For VPNs and other local services, if they require binding to only one IP address, set the Interface to a CARP VIP (e.g. IPsec, OpenVPN) ● Support in packages varies but some have support for CARP VIPs, XMLRPC, or CARP status detection ● ACME package – Install it only on the primary – Make a cert with SAN entries for both hosts individually and the CARP VIP all in a single cert – Cert will sync to secondary automatically via XMLRPC since certificates already sync ● When adding a new local interface: – Assign the interface on both nodes identically – Enable the interface on both nodes, using different IP addresses within the same subnet – Add a CARP VIP inside the new subnet (Primary node only) – Add firewall rules (Primary node only) – Add Manual Outbound NAT for a source of the new subnet, utilizing the CARP VIP for translation (Primary node only) – Configure the DHCP/DHCPv6/RA server for the new subnet, utilizing the CARP VIP for DNS and Gateway roles (Optional, Primary node only)
  • 25. Testing ● Verify that a client on the LAN can pass through the cluster (ping / browse to Internet host) ● Verify XMLRPC by checking if a setting syncs, and via Status > Filter Reload, Force Config Sync ● Verify CARP by checking Status > CARP – If any VIPs show as INIT, then an interface is down. Fix the interface or remove the VIP. – Don’t be tempted by the “Reset Demotion Factor” button, it’s not a permanent fix. ● Verify state sync by checking pfsync nodes on Status > CARP and contents of Diag > States ● Testing Failover: – Status > CARP, enter maintenance mode or disable CARP on primary – Check status on secondary, should now be MASTER – Test LAN client connectivity, DHCP, etc – Enable CARP on Primary – Retest connectivity ● Downloading a file, streaming audio, or streaming video will most likely continue uninterrupted. VoIP-based phone calls may have a slight disruption as they are not buffered like the others.
  • 26. Troubleshooting ● Review the config ● Check CARP status, if VIP is INIT, check interface link, edit/save/apply VIP ● Check for conflicting VHIDs ● Check subnet mask on CARP VIPs ● Switch/L2 issues – Ensure boxes are on the correct switch/VLAN/L2 – Try to ping between the nodes on the affected interface – Ensure switches are properly trunking, if applicable – Try another switch (especially if using a modem/CPE switch) – Disable IGMP snooping, broadcast/multicast storm control, etc. – For vswitches, check promiscuous mode, forged transmits, MAC changes ● Check system logs, firewall logs, notices
  • 27. Upgrading ● Review changelog/blog/upgrade guide – https://doc.pfsense.org/index.php/Upgrade_Guide – https://doc.pfsense.org/index.php/Redundant_Firewalls_Upgrade_Guide ● Take a backup – Cannot stress this enough ● If the cluster is running an older (2.2.x or before) version, disable XMLRPC on primary ● Upgrade secondary ● Check secondary – Check logs, status pages, and so on to ensure everything looks OK ● Switch CARP to maintenance mode on primary (sticks across reboots) ● Test secondary, ensure proper connectivity and service function – If something fails, simply switch out of maintenance mode on the primary then repair the secondary ● Upgrade primary ● Exit maintenance mode on primary ● Test again ● If XMLRPC was disabled, enable it again, then test sync
  • 28. Conclusion ● July 2016 hangout in the archive has some advanced HA topics: – Multi-WAN with HA – Converting an existing single firewall to HA cluster ● For IPv6 basics, see the July 2015 hangout ● Questions? ● Ideas for hangout topics? Post on forum, comment on the blog posts, Reddit, etc