PFSense CARP Setup

Example CARP Setup Diagram

Overview of a pfSense-CARP setup

You need one real IP address for every CARP cluster host. So, if you want to have 2 cluster members, you will need 2 IP addresses for the real interfaces and then an IP for each virtual IP address. So in this case it would amount to 3. In the example shown to the right, the primary CARP clusters WAN IP address is and the backup firewalls WAN IP address is The primary clusters LAN IP address is and the backup firewall's LAN IP address is

Setting up dedicated pfsync interface

We strongly advise using a dedicated interface for pfsync.

Set up each cluster sync interface, give it an IP address in the same subnet. Example: on the master cluster member enter and on the backup cluster member enter for the IP address. Use a /24 subnet.

Enable pfSync

Enable pfSync in Firewall -> Virtual IPs -> CARP settings -> Synchronize Enabled (check it) on all cluster members.
-> Synchronize Virtual IPs [ X ]

In Configuration Synchronization Settings (XMLRPC Sync)
-> Synchronize to IP [ insert Slave IP ONLY on Master! ]
-> Remote System Password [ insert Slave IP ONLY on Master! ]

Select the dedicated Sync interface with the Synchronize Interface dropdown on all cluster members.

Afterward visit Firewall -> Rules and add an allow all from any to any rule on each cluster member for the newly created pfsync interface.

Adding CARP shared virtual IP addresses

Now on the master cluster member add a virtual IP addresses of the CARP type in Firewall -> Virtual IPs. Make sure that the virtual IP addresses fall within the same subnet of an IP address defined on real interface (WAN, LAN, OPT1, etc.). You need to dedicate a unique VHID per shared virtual IP address. The lowest skew states that the host should be a master. The XMLRPC process will automatically add +100 to each host while syncing. So we recommend setting the skew to 0 on the master hosts CARP virtual IPs. pfSense will handle the rest.

Master : base=1,skew=0
Master : base=1,skew=20

Preparing for XMLRPC Sync

Now set the same Admin password and protocol for the webConfigurator (HTTP/HTTPS) on each cluster member

On the master cluster member, visit Firewall -> Virtual IPs -> CARP Settings and enter the 2nd cluster members sync ip address (earlier in example was Afterwards, enable all sections you want to sync (Synchronize rules, Synchronize aliases, Synchronize nat, ..*). This will automatically push configurations from the master cluster member to the backups. Click save. You should see the virtual ip addresses automatically synchronized to the backup hosts

Setting up advanced outbound NAT

Enable advanced outbound NAT in Firewall -> NAT -> Outbound -> Enable advanced outbound NAT. Click save.

Edit the automatically added rule for LAN. Pick a shared CARP virtual IP address as the Translation IP address. Give the item a description and click Save.

Setting DHCP Server to use CARP LAN IP Address

On primary pfsense, visit Services -> DHCP Server. Click on the LAN tab. Set the default gateway to and the range,DNS...etc. Click save.

Then go to backup cluster, to visit DHCP setting have been synchronized correctly.

You can input the blank in the "failover peep box" if you get "dchp0" failure.

Checking that XMLRPC sync worked

Visit the backup cluster member and verify that NAT, Virtual IP's and rules have been synchronized correctly.

Finally on the backup host, visit Firewall -> Virtual IPs -> CARP settings -> and enable "Synchronize Enabled" and make sure that your pfSync interface is correct. Click save.

That's it! Enjoy your failover firewall solution.

VMware ESX Users

  1. Enable promiscuous mode on the vSwitch
  2. Enable "MAC Address changes"
  3. Enable "Forged transmits"
Orginal source reference :

Server is hosted by Alanstudio
Linux Operating System

Recommend screen resolution 1024 x 768 / IE / FireFox
Alan Studio © 2007 by Alan Cheung Hin Lun. All rights reserved.