Configuring HA for a pFSense Firewall

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and welcome to another tech tip by VM nerd our tech topic for today is configuring ha4 your pfSense firewall in one of our previous videos we installed a routing firewall with pfSense on ESX and what we're going to do here is take that installation to the next level and enable H a for it we're also going to take a VM for our installing and Mbutu server VM video and we're going to leverage that to be our win IP check website labeled my IP dot VM Norcom we also have a pre-configured VM called browser that we'll use on the H a firewall and side to test the nat translations to make sure that the virtual IPS are working correctly and with that let's get started okay so just like in all of our other videos where we use some sort of a diagram to kind of illustrate what we're going to be doing here we're going to take a diagram that we used in our installing and routing firewall with pfSense on ESX what we're going to do is we're actually going to go ahead and build out what the H a configurations would look like so kind of be our blueprint to what we're building so let's go ahead and open that up okay so if you look right here we actually have from our previous video our diagram so I'm going to go ahead and let's go ahead and make some adjustments here since we're going to be introducing a new firewall basically to the mix okay so let's go ahead and go ahead and add that here okay okay so and this guy here will actually going to label him P fo - just to keep it simple and we're going to have just like this one here we're going to have three interfaces so we'll have a a wham land etc just like the other one there okay what we're going to do here is we're going to go ahead and connect these guys up so it looks the same okay and if you look here at the VLANs they're going to be the exact same let's go ahead and bring this down here a little bit they have to be the same in order for them to properly communicate so let's go ahead and we'll just clone these to keep it simple and we're going to make some adjustments up here okay so we're going to go ahead and take out the carp FIPS since they're going to be shared IPs between them okay and we're going to go ahead and make the adjustments here this guy here is going to have an IP of 192 168 32 2 2 and we're just going to follow suit across all the various interfaces here so where was 2 2 1 it'll just be 2 2 2 okay so now that we got all of that configured we now have our blueprint to what it is we're actually going to build let's good and save this ok so next thing we're going to do now that we have a blueprint as far as what we're going to build let's go ahead and actually get the building process going so we're going to log in to our V Center ok so one of the things I want to do here is I'm going to go ahead and just shut this firewall down to make sure that we're going to have a nice clean build here is what we're going to do instead of actually going through the process of reinstalling because we already know how to do that now we're just going to clone this it is a virtual machine so we can actually do that okay so here we go we're going to go ahead and clone and we're going to call him my pf0 - then click Next select your VM house it's going to put it on some flash drives again for performance reasons and there's no need to power it on just yet ok and since we cloned him all of his configuration should be the same okay so let's go ahead and do this we're going to go ahead and power him on okay so we're getting power Mon and we'll go ahead and wait for him to come online okay so going through and switching all this stuff I think it would actually be easier if we just go ahead and do a reset to factory default so there's an actual option on here let's go and do that now okay so we'll go ahead and say yes and basically what it's going to do it's going to bring it back with just a vanilla configuration actually no configuration at all just like we installed the ISO image for the live CD portion of a PF sense okay now that it's actually shut down we can go ahead and power on the other firewall now so let's go and do that and in the interim while this PF o2 is actually coming back online okay so let we r not going to do any VLANs since that's really out of scope for this video so we'll just say no here and we'll just basically can figure out our interfaces so vmx zero is going to be the way an interface VM x1 will be the land and VM x2 will be our H a interface okay so some people call it carp some people call it you know PF sync or whatever I just call it H a because that's really what it's for at least this particular interface and what we're going to use it for okay so we already got an IP address which is a good sign and just like the other one what I'd like to do is let's go ahead and go into the shell and let's go ahead and do a PFC TLD which will whoops too many dashes there - D and let's go ahead and just disable all the rules so that way we can manage it through the web interface going through there typing it all out you know in this thing is actually not very fun so let's go ahead and do that let's go ahead and go to our that 30 done I believe it was 100 and there we go yes this is correct and for this video we're actually the one thing we're not going to do is we're actually not going to change this to the read into the read interface the one that I actually like will use it so that way we can show that there's a distinguished difference between the two as we're going through the configurations okay so let's go and login and they don't have to really go through the wizard it's pretty straightforward on just like before though we are going to have to go in and disable the block private networks and the bog ons and that's strictly just so that way we can connect to it on our private network and the next thing we need to do is actually create a rule so we can administer this thing okay so let's go ahead and add a quick rule TCP any destination is going to be this firewall and we'll do HTTP now remember like before you want to make sure that if this really is on the internet interface you might not really truly want to do this this way this is just for convenience because we are on a private network so just keep that in mind as we actually turn this rule on okay so we'll go ahead and allow that and don't really apply changes I just go ahead and do a reboot okay so let's go and do that it's actually quicker to do it this way than it is to undo the rules and all that stuff again and the top secret password that is installed by default which is PF sense okay so the next thing we need to do is let's go ahead and try and configure this the way that it is the way that it needs to be okay so the first thing we want to do is let's go ahead and adjust the when I pee interface this is probably out of the whole thing probably the most painful only because we have to reconnect when we connect to the browser to a different IP so in this case we use 192 168 32 G to just go ahead and do that and we're actually going to make sure it's a Class C which is slash 24 and we're going to go ahead and do a gateway here and it's going to be one and two once within 32 five four okay and let's go ahead and do the save and go ahead and click apply and this is where we're actually going to lose our connectivity so you know all you really have to do is just go up there to the browser and switch it to the three 2's and it should come right on line okay just like before same username password nothing there's change okay alright so now the next thing we want to do is let's go ahead and set up the LAN interface now let's go ahead and disable this option so that we don't get any funny errors and then let's do a 31.2 - - it still is also a class-c so we'll go ahead and click Save okay so if I can click apply and with that all these little things here we need to go in and actually let's go ahead and disable the DHCP server itself so at this point there's really no point and have this enabled in the know for now okay and then this will give us our errors about DHCP so let's just shut that off okay now let's go to the system tab let's go ahead and believe it's under networking go ahead and disable ipv6 at least for this video you know it's really up to you if you really want it or not and the other thing I like to do is disable the anti lockout rule since we're since we create a custom rule we don't really have to worry about that being locked out the fact that we're managing it from you know our device here we don't really have that to worry about at least on our land side okay so the next thing we need to do is go set up our name we can do that now so pf0 - and remember our domain is demo dot VM nerd calm and the DNS server just like our previous one is in 192 168 30.1 okay and how we can actually pretty much everything else the same let's go ahead and click Save okay so let's go ahead and set up our opt one but it's actually going to be our h.a interface okay so one go ahead and able select select H a for your description name soul end up becoming the name up here under the interfaces so we'll help make it easier for you to remember okay and then for IP address I believe it's 32 check and make sure yes so 32 T 2 let's go ahead and add that so 192 168 32 that two two two and it is also a Class C okay so let's go ahead and save that and apply okay now that we did that let's go ahead and go to the firewall and select rules and what we need to do is kind of interesting but we need to actually go and add a rule on the H a side and at this point we can pretty much pass anything anything basically any any and from the source we can go ahead and select the H a net the destination is H a net and just basically leave it wide open at this point it really doesn't matter since you're not really going to have actual devices on that interface it's really just going to be basically firewall communication okay and if you in if you had an actual large network we did VLANs and all those wonderful things it's the same thing just you wouldn't have any machines in those VLANs so let's go ahead and click Save okay so now the next thing we need to do is we actually need to go into the PF oh one firewall and we need to do the same thing let's go based on IP ok I don't know if we configure DNS for it so there we go there's the red interface that we're used to seeing ok so and we need to do something similar so let's go in here to interfaces we already did define our interface here which is to two to one not for the site and let's go ahead and enable the firewall role to allow any any in this interface as well okay so we'll do any protocol so really the most important ones there are the PF sink and the carp okay we'll do h a net h a net so allow those that entire network to talk to each other let's go ahead and click Save okay and believe that's all we need to do for now okay so the next part what we're going to do is we're actually from this particular side of the house here we're going to enable the H a component here in the PF sense so let's go ahead and go to that page the H a sink okay so let's go ahead and enable the sinking okay so let's go ahead and click this part here and for synchronization interface we're going to go ahead and select H a and we can actually leave this to pretty much anything it doesn't really matter and this particular IP this will actually be where we're going to push our configurations to so let's go ahead and type in the IP address for our art cart partner here okay and it's going to be the thirty two two two two so if we go back to our drawing you'll see on the H a interface it's 32 two two two and it's going to communicate from 32 to 1 and for the name go ahead and select admin you can actually create your own account if you want but for the purposes of this demonstration we don't really need to do that and then go ahead and toggle all really doesn't matter but you can technically if you wanted to you can actually break down what you really want to sync but in this case we're just going to do that so go ahead and click Save okay and then the next thing we need to do is we need to do the same thing with our DHCP server okay so that's kind of a feature that we have to go in here and actually enable this there's a failover IP we just need to plug in the information for our carp interface which is 32.2 g2 okay so we'll go ahead and click Save and it's going to leverage this information at least information that you typed in on the H a configuration side okay so let's go ahead and go back to our PF o2 firewall and just take a look at it okay let's see where it's at in the process okay we might actually have to go in here and enable the H a component yeah we do so what we need to do here is just go ahead and select the PF sync transfer State checkbox and we need to select what interfaces is going to happen on okay everything else we really don't have to type in so we don't have to worry about that so I can click Save okay and we'll give it just a moment for it to kind of do its thing it's going to click over here and let's go ahead and just take it I'm just curious we'll just take a look see if we're going to do any troubleshooting or not hopefully not captive carp there we go so as you can see it already synchronized our information so if you look here there's one of our our way an IP address which is t20 okay so if you look right here the carp is c20 and then the carp on the land side is 31 to 54 okay so you see those things let's go ahead and take a look at the DHCP services make sure that's actually configured and it is it's actually enabled as well so it looks like the carp information is coming over the way it's expected to ok and let's go back in here let's go to our primary and do the same thing let's just take a look at the carp information and if you look right here it's actually the master okay so let's go back to our VMware configuration or our vmware vsphere client and let's just take a look at our browser machine and this is the one I was talking about we first got started this is the one we're actually going to test the connectivity and just make sure that our NAT translations are working and that when we actually go to hit a website well in our case it's going to be an internal web site on the van interface side that we're actually using that as our nat gateway okay okay so let's go ahead and open this so as you can see I already had it loaded up into a browser because it's really the machine wasn't really built for anything but what we're doing here okay and let's just test I don't know if I did the URL or not but let's just test anyways HTTP colon um yeah actually I think I did do this before yes so I did actually test from this machine to make sure that's working and if you look at our our IP our actual NAT IP it's 32 to 0 which is the actual carp interface or the LAN interface that's depicted here on the diagram so right now we're currently going through the primary and if you look right here we're actually hitting this 32 to zero okay so let's go ahead and see what we can do to check for our default gateway okay so right click here and go to terminal and let's do a net stat - RN should give our our default gateway which in this case here if you look here it's one 92168 31.2 54 which is our cart VIP okay and let's have some fun with this let's go ahead and actually test out the failover configuration for this and how it's going to work okay just for fun let's go ahead and just do a continuous pain oops on our gateway here 192 168 dot 31 not two five four okay we're just going to let this guy run for a little while while that's going on let's go into our pfSense page here let's go ahead and enter the cart maintenance mode okay what that's going to do is it's actually going to go ahead and set this guy here as the backup okay let's go ahead and refresh here so that what you can see and you should say backup and let's go to our secondary firewall and let's just take a look at the status there and you should actually say master and he does okay so let's take a look at our machine here make sure we're still painting and if you look right there we are we're actually still pinging this is exactly what we want to see okay so now let's go ahead and exit the maintenance mode here okay what's going to happen we exit is immediately going to become the master and if we go back to this guy here he should actually be the backup okay which is exactly the case okay so now what we're going to do is just let's simulate a failover let's actually simulate failure okay what we're going to do is we're actually going to hard power down this guy okay just power them off so we can shut down but since we have VM tools it'll take a little while and it'll gracefully do everything but in this case let's not do that just power them off okay just straight shut down just install ok so now that he's in stuff let's go take a look at our our browser VM and make sure that the pings are still happening and they are you know based on this we didn't even lose a beat okay let's go ahead and ctrl C to break out of this because I want to go all the way up and just take a look at our history here if you look at the sequence numbers there's every single one of them and that one of them was a tie now and the millisecond response is actually pretty good okay so now let's go ahead and go back to our firefox window here or our browser window I should say all right let's go back into there if we can get this back open was it this one I think it's the first one here we go okay so let's actually you know what let's go back to that a little better and let's just type our information in again okay we'll go ahead and do the my my IP dot VM Norcom and voila we still have the same external nat translation address okay just like the other one and the foot the other firewall is completely off is it pretty cool or what I think so so let's go ahead and power the other guy back on we'll watch him take control at least take it back under control again let's go ahead and do that bring him back on take just a few minutes here from begin online room not a few minutes but it'll take it a couple of seconds here and we'll just watch here for the VM tools to say he's running let's go back to our browser interface here it's going to check out the status here is probably back and backup mode and he is okay so if we go here to status he will retain his master status I'll have to login you know I guess the session timed out on the server doesn't really want to remember anything but I'll save that for another video if you guys want and that concludes our video I hope you enjoyed our video today on configuring a che for your payoff sense firewall have a great day hey guys don't forget to check out our VM nerd YouTube channel for more tech tips
Info
Channel: VMNerd
Views: 22,240
Rating: undefined out of 5
Keywords: How To, Howto, VMNerd, DIY, Do It Yourself, Tech, Tech Tips, VMWare, ESX, Router, pFSense, CARP, Demo, Firewall, Opensource, Open Source
Id: VjDL8T99_c8
Channel Id: undefined
Length: 23min 34sec (1414 seconds)
Published: Sat Jul 02 2016
Related Videos
How To Setup VLANS With pfsense & UniFI. Also how to build for firewall rules for VLANS in pfsense
Lawrence Systems
336K
pfsense HA / High Availability Setup and Testing Using CARP, XMLRPC & pfsync
Lawrence Systems
35K
How To Configure and Setup A Multi Site to Site VPN with pFSense and OpenVPN
VMNerd
33K
Update: Configuring An OpenSource pFSense Firewall to Use Private Internet Access VPN
VMNerd
8.9K
Home Network Setup - pfSense, VLANs, VPN, HAProxy, 10G, and more
Raid Owl
16K
Tutorial: pfsense LAGG & LACP & Setup
Lawrence Systems
32K
How to configure Captive Portal on PFSense Firewall
VMNerd
56K
Tutorial:Internet Filtering / Site Blocking Using pfblocker DNSBL on pfsense
Lawrence Systems
184K
Testing pfSense High Availability with PingPlotter
Rocket City Tech
489
How To Configure A Transparent Proxy Using PFSense
VMNerd
50K
my SUPER secure Raspberry Pi Router (wifi VPN travel router)
NetworkChuck
373K
pfSense - Basic LAN Firewall Rules
Gateway IT Tutorials
32K
Tutorial, Setting up Snort On pfsense 2.4 With OpenappID
Lawrence Systems
124K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.