BSD Newsletter: pfSense High Availability Synchronization

pfSense provides synchronization methods for sharing firewall state information and for sharing some pfSense configuration settings with one or more pfSense systems. Multiple systems knowing the same configurations can help prevent a single point of failure. The options for these are available via the System → High Avail. Sync page.

State Synchronization (pfsync)

The state or progress of network connections may be tracked by the PF firewall in a state table. This may be used to match traffic to already-established connections. The state entries may be shared with other pfSense peers using the pfsync protocol so they may be consistent in the case of failover.

To enable transferring or accepting the state changes to or from another firewall, check the Synchronize states checkbox.

Use the Synchronize Interface drop-down form to select the interface to be used. The state changes are sent using multicast by default.

If you don't want to use multicast, enter a specific IPv4 address for the other pfSense system to synchronize with in the pfsync Synchronize Peer IP input field.

Warning

The pfsync traffic is not encrypted. It is recommended that this connection is secured using IPsec or with a dedicated cable connection between the pfSense systems.

Configuration Synchronization (XMLRPC Sync)

Several different categories of configurations may be transferred from the pfSense system to another pfSense system. This configuration synchronization will only happen when enabled and the pfSense peer's version is the same pfSense version.

Enter the remote pfSense system's IP address in the Synchronize Config to IP field. This is the IP address for the backup system.

Warning

Do not configure your backup pfSense systems to synchronize their copied configurations back to the main systems. You don't want to mistakenly overwrite the production configurations with the backups.

Enter the other pfSense system's username and password (as used for its web login) in the Remote System Username and Remote System Password fields. (Repeat the password in the corresponding field to confirm it was typed in correctly.) Note that the backup server's password will be replaced with the current system's password after the configuration synchronization.

The page also lists several checkboxes for enabling or disabling types of configurations to synchronize to the peer. These include:

Synchronize Users and Groups: Users (and their passwords) and groups. This includes the admin user and the next UID and GID counter fields.
Synchronize Auth Servers: LDAP and/or RADIUS authentication servers configurations.
Synchronize Certificates: Certificate Authorities, Certificate Revocation Lists, and/or certificates.
Synchronize Rules: PF packet filter firewall rules. When this is checked, if you have time-based or calendar schedules configured, they are also transferred as if the Synchronize Firewall schedules was checked. Note that firewall rules that are marked with the No XMLRPC Sync checkbox are not synchronized to the backup firewall.
Synchronize Firewall schedules: Calendar and time-based schedules for the firewall.
Synchronize Firewall aliases: Network, port, and URL Aliases.
Synchronize NAT: Network Address Translation rules. Note that NAT rules that are marked with the No XMLRPC Sync checkbox are not synchronized to the backup firewall.
Synchronize IPsec: IPsec configurations.
Synchronize OpenVPN: OpenVPN configurations. Note when this is checked, it also will synchronize the CAs, CRLs, and/or certificates as if the Synchronize Certificates was checked.
Synchronize DHCPD: DHCP Server settings. Note when the Failover peer IP DHCP server option (book Section 19.4, “Other DHCP Server Options”) is configured, the backup server's DHCP failover IP address is replaced with the master pfSense system's DHCP interface's address. (That way they are a peer for each other.)
Synchronize Wake-on-LAN: Wake-on-LAN (WoL) Server settings.
Synchronize Static Routes: Static routes and gateway configurations.
Synchronize Load Balancer: Load balancer pools and virtual servers configurations.
Synchronize Virtual IPs: Virtual IPs for CARP-based high availability configurations. Note that CARP Skew settings will be increased by 100 for the backup system (and clamped to a maximum of 254) so the backup will have a lower preference. (See book Section 16.10.1.1, “Virtual IP CARP Settings” for details.)
Synchronize traffic shaper (queues): ALTQ traffic shaper configurations.
Synchronize traffic shaper (limiter): Dummynet traffic shaper limiters configurations.
Synchronize DNS (Forwarder/Resolver): DNS Forwarder (dnsmasq) and/or DNS Resolver (Unbound) configurations.
Synchronize Captive Portal): Captive portals configurations including vouchers.

Note that there are many other pfSense settings that are not synchronized.

Syncing the Configuration

When enabled, on normal configuration changes there are over 250 settings when changed that can trigger the configuration synchronization from this system to the other pfSense system.

It can also be triggered manually to test it. If you have high availability enabled and the Synchronize Config to IP setting defined, the Status → Filter Reload page will have a Force Config Sync button which may be used to perform the configuration synchronization. Note this will push the selected configurations to the remote system overwriting those configurations there.

The original chapter has cross-references for various topics. See the book for the supplementing chapters and sections about the DHCP server options, virtual IP / CARP settings, the firewall, and more. See http://www.reedmedia.net/books/pfsense/ for details. Please consider adding a review to Amazon.

BSDnewsletter.com

State Synchronization (pfsync)

Warning

Configuration Synchronization (XMLRPC Sync)

Warning

Syncing the Configuration

Discussion