Now that we've covered network interface failover, time for the most popular high availability method; node failover.
First we need a dedicated network interface for this. Let's enable our interfaces for the job, select our IPs, subnets, etc. If subnetting is not exactly your forte, /30 is 2 hosts while /29 is 6. Just use an available network. I'll cover subnetting some time in the future. It's easy really. For my needs I selected the 192.168.250.0/30 network which leaves me with the 192.168.250.1 and 192.168.250.2 IP addresses available to assign to my nodes.
Save and apply. Now go to your firewall rules (Firewall, Rules), select the tab that responds to the interface you've selected for the task (OPT1 in my case) and allow everything (any) for that specific network (192.168.250.0/30 in my case).
Save and apply.
Now, to actually set up our VIP (Virtual IP). There's two ways we can so this: One is go to System, High Avail. Sync and the other to Firewall, Virtual IPs, CARP settings tab.
Go to the node that you intend to use as a master and check on the "Synchronize states" box. Choose the network interface we've been working with for this (OPT1 in my case) and also insert the slave's IP address into the "pfsync Synchronize Peer IP" if you want to avoid pfSense spamming multicast.
Synchronize Config to IP: Insert the backup node's IP address (192.168.250.2 in my case)
Remote System Username: Insert the system username and password
Remote System Password: Insert the system password
And then check everything you want to synchronize. I want everything, so I'll check everything.
Now, Save and go to your backup node. What we want to do is exactly the same, changing the IP in the "pfsync Synchronize Peer IP" box.
Synchronize Config to IP: Insert NOTHING. This should only be used in the master node.
Remote System Username: Insert NOTHING. This should only be used in the master node.
Remote System Password: Insert NOTHING. This should only be used in the master node.
And then check everything you want to synchronize. I want everything, so I'll check everything.
Now go back to your master node. Go to Firewall, Virtual IP addresses and select "+" to add one.
Let's begin with our WAN interface.
Type: CARP
Interface: WAN
IP address(es): Choose a new available IP, in the same subnet as the old one, which will be the Virtual IP of the cluster. In my case that is 192.168.0.9/24.
Virtual IP Password: Just choose a password for this.
VHID Group: Usually 1 is fine, but if you have systems that already use CARP in your network (such as Zen Load Balancer) you might want to change this.
Advertising Frequency: Leave it to 1/0 for master.
Save and apply. Now let's go ahead and do the same for the rest of our interfaces, always keeping in mind that we should change our VHID groups to a unique number.
Save and apply. Our settings should look something like this:
Go to your master and backup nodes to see if everything is working through Status, CARP (failover). Sometimes you need to manually enable CARP if you see "Status DISABLED". No biggie.
First we need a dedicated network interface for this. Let's enable our interfaces for the job, select our IPs, subnets, etc. If subnetting is not exactly your forte, /30 is 2 hosts while /29 is 6. Just use an available network. I'll cover subnetting some time in the future. It's easy really. For my needs I selected the 192.168.250.0/30 network which leaves me with the 192.168.250.1 and 192.168.250.2 IP addresses available to assign to my nodes.
Save and apply. Now go to your firewall rules (Firewall, Rules), select the tab that responds to the interface you've selected for the task (OPT1 in my case) and allow everything (any) for that specific network (192.168.250.0/30 in my case).
Save and apply.
Now, to actually set up our VIP (Virtual IP). There's two ways we can so this: One is go to System, High Avail. Sync and the other to Firewall, Virtual IPs, CARP settings tab.
Go to the node that you intend to use as a master and check on the "Synchronize states" box. Choose the network interface we've been working with for this (OPT1 in my case) and also insert the slave's IP address into the "pfsync Synchronize Peer IP" if you want to avoid pfSense spamming multicast.
Synchronize Config to IP: Insert the backup node's IP address (192.168.250.2 in my case)
Remote System Username: Insert the system username and password
Remote System Password: Insert the system password
And then check everything you want to synchronize. I want everything, so I'll check everything.
Now, Save and go to your backup node. What we want to do is exactly the same, changing the IP in the "pfsync Synchronize Peer IP" box.
Synchronize Config to IP: Insert NOTHING. This should only be used in the master node.
Remote System Username: Insert NOTHING. This should only be used in the master node.
Remote System Password: Insert NOTHING. This should only be used in the master node.
And then check everything you want to synchronize. I want everything, so I'll check everything.
Now go back to your master node. Go to Firewall, Virtual IP addresses and select "+" to add one.
Let's begin with our WAN interface.
Type: CARP
Interface: WAN
IP address(es): Choose a new available IP, in the same subnet as the old one, which will be the Virtual IP of the cluster. In my case that is 192.168.0.9/24.
Virtual IP Password: Just choose a password for this.
VHID Group: Usually 1 is fine, but if you have systems that already use CARP in your network (such as Zen Load Balancer) you might want to change this.
Advertising Frequency: Leave it to 1/0 for master.
Save and apply. Now let's go ahead and do the same for the rest of our interfaces, always keeping in mind that we should change our VHID groups to a unique number.
Save and apply. Our settings should look something like this:
Go to your master and backup nodes to see if everything is working through Status, CARP (failover). Sometimes you need to manually enable CARP if you see "Status DISABLED". No biggie.
No comments:
Post a Comment