Pfsense HA (high availability cluster)

Pfsense HA (high availability cluster)
0x00 Preface

Some time ago, the company's firewall physical machine crashed, causing the company's network paralysis. My company's websites are inaccessible, so I thought of studying this Pfsense HA. The company is preparing to hold a competition. As a security worker, there must be pressure !! All aspects should consider whether there are security risks. This firewall is bound to be under consideration. If the firewall is broken by the owner, how can this problem be solved ??? Then the competition won't be able to proceed.

This name is a bit tall! To put it bluntly, we need to build two pfsense firewalls. One is suspended, and the other is taking over the work immediately, so as not to interrupt the business.

 

0x01 Pfsense & HA Brief Introduction

PfSense is an open-source version based on FressBSD designed for firewall and router functions. It is installed on a computer and serves as a firewall and router in the network. It is well known for its reliability and provides features that only exist in expensive commercial firewalls.

HA (High Available) is an effective solution to ensure business continuity. Generally, there are two or more nodes, which are divided into active nodes and standby nodes. Generally, an active node is called an active node, while a backup of an active node is called a standby node. When a problem occurs on the active node and the running business (task) cannot run properly, the Standby node will detect the problem and immediately continue the active node to execute the business.

0x02 Pfsense HA depth

A topology is drawn:

 

The topology is indeed a bit messy! It can be said that it is a little ugly. Can you recommend me any good software!

Simply put, I made this experiment on my virtual machine.

Pfsense1 + Pfsense2 = Pfsense HA

WAN: 192.168.1.101 192.168.1.102 192.168.1.254

GW: 192.168.1.1 192.168.1.1 192.168.1.1

LAN: 1.1.1.1 1.1.1.2 1.1.1.254

That is, on a layer-3 switch, you only need a default route. This default route points to 1.1.1.254. This ip address is virtualized by Pfsense1 and Pfsense2.

If you observe it carefully, you will find that I am missing something. Haha! Is there a line in the middle ???

Why didn't you see it here ????

The middle line is the heartbeat line, which is used for communication between the MASTER and BACKUP. When the BACKUP finds that the MASTER is down, it will automatically switch to the MASTER state. Here I use the LAN port as the heartbeat line. (The disadvantage is that there are a lot of broadcast packets and the burden on the switch is relatively heavy)

Note: In the Pfsense HA process, Pfsense1 and Pfsense2 have two states: MASTER and BACKUP.

 

0x03 specific implementation of Pfsense HA A. Add A virtual ip address.

Add a virtual ip address for the wlan Port

Add a virtual ip address for the lan port

All done

B CARP settings

 

There are also various synchronization options below. Please check them according to your actual situation.

After the configuration is completed, you can log on to http: // 1.1.1.254/index. php to configure it.

That is, configure the MASTER firewall. Data configured on the MASTER firewall will be synchronized to the BACKUP (there is a premise! The premise is that you checked the check box .), So you don't have to worry about this data issue.

0x04 simply look at port forwarding

A port forwarding is required in the MASTER firewall.

Data has been synchronized from the BACKUP.

Note: You must configure the firewall on the MASTER firewall. It is useless to configure the firewall on the BACKUP.

I shut down the MASTER firewall, and the BACKUP firewall immediately took over to become the MASTER firewall, which still does not affect access to 254.

Okay! We will introduce you here. If you have any questions, please come and contact me.