Failover with CARP in PF: Part Four (Configuration)September 30, 2013 by maximumdx 1 Comment In this article, I continue with configuration of a hypothetical CARP setup with two redundant firewalls.Configuring the InterfacesIn the previous article, we used ifconfig to configure the CARP interfaces. In production use, you probably want to configure these interfaces with a passphrase; e.g.:ifconfig carp0 pass mypassphrase 50.87.147.42 vhid 1ifconfig carp1 pass mypassphrase 192.168.10.1 vhid 2Configurations for the network cards is placed in /etc/rc.conf, and for carp0 and carp1, we can put the following:#External CARP Interfaceifconfig_carp0=up 50.87.147.42/24 vhid 1 pass mypassphrase#Internal CARP interfaceifconfig_carp1=up 192.168.10.1/24 vhid 2 pass mypassphraseWe also need to configure the external and internal public interfaces:#External Public Interfaceifconfig_if0=inet 50.87.147.50 netmask 255.255.255.0#Internal Public Interfaceifconfig_if1=inet 192.168.10.10/24 netmask 255.255.255.0//// Once the two CARP interfaces and the internal and external interfaces are configured, it is time to consider state table synchronization between the hosts in the redundancy group. With synchronized state tables on the redundant firewalls, in almost all cases the traffic will see no disruption during failover. For state table synchronization, you will need a set of properly configured pfsync interfaces.Configuring pfsync is fairly straightforward, but it does require some planning. As I mentioned in part two of this series, it is generally a better idea to set up a separate network for the synchronization. In our hypothetical configuration, I have set aside 192.168.11.224/28 for pfsync. In this setup, a crossover cable would be good enough to connect the two Ethernet interfaces, but in setups with more than two hosts, you may want to set up a separate switch, hub, or VLAN.In this configuration, the interfaces we are planning to use for the synchronization have been assigned IP addresses 192.168.11.225 and 192.168.11.226, respectively. With the basic TCP/IP configuration done already, we add the following lines to rc.conf:#pfSync Interface:ifconfig_if2=inet 192.168.11.225 netmask 255.255.255.224ifconfig_pfsync0=up syncif if2 syncpeer 192.168.11.226Here we have configured the if2 interface, and we configured the pfsync, enabling pfsync on the if2 interface. We could have just typed:ifconfig_pfsync0=up syncif if2But adding the syncpeer command adds an additional layer of security. By default, pfsync updates are multicast on the local network. The syncpeer options overrides that behavior and instead unicasts the update to 192.168.11.226.Putting it All Together: A Sample rc.confThis takes us to the end of the basic network configuration for CARP-based failover. Our hypothetical rc.conf for firewall one should look like this:cloned_interfaces=carp0 carp1network_interfaces=lo0 if0 if1 if2 pfsync0gateway_enable=YESif_config_loo=inet 127.0.0.1#External Public Interfaceifconfig_if0=inet 50.87.147.50 netmask 255.255.255.0#Internal Public Interfaceifconfig_if1=inet 192.168.10.10/24 netmask 255.255.255.0#External CARP Interfaceifconfig_carp0=up 50.87.147.42/24 vhid 1 pass mypassphrase#Internal CARP interfaceifconfig_carp1=up 192.168.10.1/24 vhid 2 pass mypassphrase#pfSync Interface:ifconfig_if2=inet 192.168.11.225 netmask 255.255.255.224ifconfig_pfsync0=up syncif if2 syncpeer 192.168.11.226icmp_drop_redirects=YESpf_enable=YESpf_rules=/etc/pf.confpf_flags="pflog_enable=YESpflog_logfile=/var/log/pflogpflog_flags="The rc.conf for the second firewall is similar, but the IPs for if0, if1 and if2 are different:cloned_interfaces=carp0 carp1network_interfaces=lo0 if0 if1 if2 pfsync0gateway_enable=YESif_config_lo0=inet 127.0.0.1#External Public Interfaceifconfig_if0=inet 50.87.147.60 netmask 255.255.255.0#Internal Public Interfaceifconfig_if1=inet 192.168.10.11/24 netmask 255.255.255.0#External CARP Interfaceifconfig_carp0=up 50.87.147.42/24 vhid 1 pass mypassphrase#Internal CARP interfaceifconfig_carp1=up 192.168.10.1/24 vhid 2 pass mypassphrase#pfSync Interface:ifconfig_if2=inet 192.168.11.226 netmask 255.255.255.224ifconfig_pfsync0=up syncif if2 syncpeer 192.168.11.225icmp_drop_redirects=YESpf_enable=YESpf_rules=/etc/pf.confpf_flags="pflog_enable=YESpflog_logfile=/var/log/pflogpflog_flags="This covers the basic configuration of our hypothetical dual firewall CARP setup. In the next article, I will construct a rule set for it.