Setting up pfSense in a High Availability (HA) configuration on Proxmox can seem daunting, but it's a rock-solid way to ensure your network stays up and running, even if one of your servers decides to take an unscheduled vacation. We're going to dive into how to make this happen, keeping it straightforward and easy to follow. High Availability is really important for any network that needs to be consistently available. Think of businesses that rely on constant internet access, or even your smart home where you want everything to work all the time. By setting up pfSense in HA mode, you're essentially creating a backup system that automatically kicks in if the primary system fails. This means minimal downtime and a lot less stress for you.

Why Proxmox? Proxmox Virtual Environment is a powerful open-source virtualization platform that lets you manage virtual machines and containers with ease. It's perfect for setting up a pfSense HA cluster because it provides the flexibility and resources needed to run multiple pfSense instances efficiently. Plus, it's free, which is always a bonus! When we talk about virtualization, we're talking about running multiple operating systems on a single physical machine. Proxmox makes this easy with its web-based interface and robust feature set. You can allocate resources like CPU, RAM, and storage to each virtual machine, ensuring that pfSense has everything it needs to perform optimally.

Before we jump into the nitty-gritty, let's talk about what you'll need. First off, you'll need two Proxmox servers. These don't have to be identical, but they should be capable of running pfSense without breaking a sweat. Each server will host a pfSense instance. Secondly, you’ll need a shared storage solution. This is where the configuration data and state information will be stored, ensuring that both pfSense instances are always in sync. This can be an NFS share, iSCSI target, or even a Ceph cluster if you're feeling adventurous. Lastly, you'll need a dedicated network for the HA heartbeat and synchronization. This network should be isolated from your regular network traffic to prevent any interference.

Understanding High Availability with pfSense

High Availability (HA) with pfSense is all about redundancy. It’s like having a backup quarterback ready to jump in the moment your starter gets sacked. In our case, if one pfSense instance goes down, the other one immediately takes over, ensuring your network stays online. The magic behind this seamless transition is a combination of CARP (Common Address Redundancy Protocol) and XMLRPC synchronization. CARP allows multiple pfSense instances to share the same IP addresses, while XMLRPC keeps the configuration data in sync between the two instances. This means that when the primary instance fails, the backup instance already has all the necessary information to take over without missing a beat. Think of it as having two identical twins, where one can seamlessly step in for the other without anyone noticing the difference.

When setting up HA, you'll designate one pfSense instance as the primary and the other as the backup. The primary instance handles all the network traffic under normal circumstances. The backup instance sits idly by, constantly monitoring the primary instance for any signs of trouble. This monitoring is done through the HA heartbeat network, which sends regular signals between the two instances. If the backup instance doesn't receive a heartbeat from the primary instance within a certain timeframe, it assumes that the primary instance has failed and takes over its responsibilities. This process is known as failover.

Failover is the key to high availability. It's the moment when the backup instance springs into action and starts routing traffic. The transition needs to be as smooth as possible to minimize downtime. This is where CARP comes into play. CARP allows both pfSense instances to share the same virtual IP addresses. These virtual IP addresses are the ones that your network devices use to communicate with the internet. When the primary instance fails, the backup instance takes over these virtual IP addresses and starts routing traffic. Because the IP addresses remain the same, your network devices don't even realize that a failover has occurred.

XMLRPC synchronization ensures that both pfSense instances have the same configuration data. This includes firewall rules, NAT settings, VPN configurations, and everything else that makes your network tick. Whenever you make a change to the configuration on the primary instance, XMLRPC automatically replicates that change to the backup instance. This ensures that the backup instance is always up-to-date and ready to take over at a moment's notice. Without XMLRPC synchronization, the backup instance would be useless because it wouldn't have the correct configuration to route traffic.

Step-by-Step Configuration on Proxmox

Alright, let's get our hands dirty with the actual configuration on Proxmox. First, you’ll want to create two new VMs, one for each pfSense instance. Give them enough resources – at least 2GB of RAM and a couple of vCPUs should do the trick. Also, make sure each VM has at least two network interfaces: one for the WAN (internet) and one for the LAN (your internal network). For the HA heartbeat, you'll need an additional network interface, dedicated solely for communication between the two pfSense instances. When creating these VMs, choose the appropriate network bridges that correspond to your physical network interfaces. For example, you might have vmbr0 connected to your WAN and vmbr1 connected to your LAN. Make sure to assign static IP addresses to each interface, especially the HA heartbeat interface. This will make it easier to troubleshoot any issues later on.

Next, download the latest pfSense ISO image from the official pfSense website. Upload the ISO to your Proxmox server and mount it to each of the pfSense VMs. Start the VMs and follow the pfSense installation wizard. During the installation, you'll be prompted to configure the network interfaces. Assign the WAN interface to the interface that will connect to the internet, and the LAN interface to the interface that will connect to your internal network. For the HA heartbeat interface, assign it to the dedicated network that you created earlier. Once the installation is complete, reboot the VMs.

After the reboot, log into the pfSense web interface. On the primary pfSense instance, go to System > High Availability. Enable the High Availability feature and configure the settings. You'll need to specify the CARP interface, which is the LAN interface that will be shared between the two instances. You'll also need to specify the CARP password, which is used to authenticate communication between the two instances. Make sure to choose a strong password. Additionally, you'll need to specify the Virtual IP address, which is the IP address that will be shared between the two instances. This is the IP address that your network devices will use to communicate with the pfSense firewall.

On the backup pfSense instance, go to System > High Availability. Enable the High Availability feature and configure the settings. Specify the same CARP interface, CARP password, and Virtual IP address as the primary instance. Additionally, you'll need to specify the Remote IP address, which is the IP address of the primary pfSense instance. This allows the backup instance to communicate with the primary instance and synchronize the configuration data. Once you've configured the settings on both instances, save the changes.

To verify that the HA setup is working correctly, you can simulate a failover by shutting down the primary pfSense instance. The backup instance should automatically take over and start routing traffic. You can also monitor the status of the HA setup in the pfSense web interface. The status page will show you which instance is the primary and which instance is the backup. It will also show you the status of the CARP interfaces and the synchronization status. If everything is working correctly, the status page should show that both instances are in sync and that the CARP interfaces are in a healthy state.

Key Considerations for a Robust Setup

For a truly robust setup, there are a few extra things you should keep in mind. First, ensure your shared storage is reliable. A failure here can bring down both pfSense instances, defeating the purpose of HA. Consider using RAID or a distributed storage system for added redundancy. Secondly, monitor your setup closely. Set up alerts for failovers and other critical events so you can quickly respond to any issues. Tools like Nagios or Zabbix can be invaluable for this. Finally, regularly test your failover process. Don't wait for a real emergency to find out that something isn't working as expected. Simulate a failure and verify that the backup instance takes over seamlessly.

Another key consideration is network design. Make sure your network is properly segmented and that your firewall rules are configured correctly. This will help to prevent any security breaches or other network issues. Additionally, consider using VLANs to isolate different types of traffic. This can improve network performance and security. When designing your network, think about the flow of traffic and how it will be routed through the pfSense firewall. Make sure that all of your network devices are properly configured to use the pfSense firewall as their default gateway.

Power is another important consideration. Make sure that both of your Proxmox servers are connected to a UPS (Uninterruptible Power Supply). This will protect your servers from power outages and ensure that they stay up and running during a power failure. Additionally, consider using a redundant power supply for each server. This will provide an extra layer of protection in case one of the power supplies fails.

Regularly backing up your pfSense configuration is also crucial. In the event of a disaster, you can quickly restore your configuration from a backup. pfSense provides a built-in backup feature that allows you to easily create and restore backups. You can also use a third-party backup tool to automate the backup process. Make sure to store your backups in a secure location, such as a cloud storage service or an external hard drive.

Finally, stay up-to-date with the latest pfSense updates and security patches. These updates often include important bug fixes and security improvements. Regularly updating your pfSense firewall will help to protect your network from the latest threats. You can configure pfSense to automatically check for updates and install them automatically. However, it's always a good idea to manually review the updates before installing them to make sure that they don't introduce any new issues.

Conclusion

Setting up pfSense in High Availability on Proxmox might seem like a complex task, but with a bit of planning and careful configuration, you can create a highly resilient network that can withstand almost anything. Remember to focus on reliable shared storage, diligent monitoring, and regular testing. With these practices in place, you'll have a network that's not only secure but also always available, giving you peace of mind and uninterrupted service. So go ahead, give it a try, and take your network to the next level!

By following the steps outlined in this guide, you can create a highly available pfSense setup on Proxmox that will protect your network from downtime. Remember to pay close attention to the key considerations mentioned above to ensure that your setup is robust and reliable. With a little bit of effort, you can create a network that is not only secure but also always available. This will give you peace of mind and allow you to focus on other important tasks without worrying about your network going down.

High availability is not just for large businesses. Even if you're a small business or a home user, you can benefit from the added reliability and peace of mind that a high availability setup provides. With the increasing reliance on the internet for everything from communication to entertainment, it's more important than ever to have a network that is always up and running. By setting up pfSense in high availability mode on Proxmox, you can ensure that your network stays online, even in the event of a hardware failure or other unexpected event. So don't wait, start planning your high availability setup today and take your network to the next level!