Pfsense fisical server and pfsense backup on Proxmox

[wifi75]

hi everyone, currently I have a physical server with pfsense 5 network cards, a wan and 4 lacp cards with various Vlan.
I would like to install pfsense (for backuop only) if the physical one breaks, on my second server, it also has 5 network cards. proxmox 7.2 already configured with 4 cards in lacp.
How could I synchronize all the configurations of the physical server on the virtual one?

 

[Neobin]

With pfSense's own high availability feature:
https://docs.netgate.com/pfsense/en/latest/highavailability/index.html

 

[wifi75]

can I use this configuration even if the hardware is different?
the first pfsense is physical while the other is virtualized ...

 

[Neobin]

Yes, as long as you properly assign your interfaces (physically, in PVE, for the VM and in pfSense itself) according to your circumstances.

 

[Dunuin]

Yes, as long as you properly assign your interfaces (physically, in PVE, for the VM and in pfSense itself) according to your circumstances.

Not sure about pfsense but OPNsense requires that the NIC IDs are identical. Lets say your WAN NIC is called eno1 on then physical host and vtnet1 on the VM, then it won't work as both WAN NICs would need to be called "eno1" or "vtnet1".

 

[Neobin]

Not sure about pfsense but OPNsense requires that the NIC IDs are identical. Lets say your WAN NIC is called eno1 on then physical host and vtnet1 on the VM, then it won't work as both WAN NICs would need to be called "eno1" or "vtnet1".

This is no longer the case on pfSense Plus software version 22.01 and later and pfSense CE software version 2.6.0 and later. On these versions, the states are no longer bound to interfaces in the way described in this section.

https://docs.netgate.com/pfsense/en...ty/pfsync.html#pfsync-and-physical-interfaces

But keep in mind:

The interfaces on both nodes must be assigned identically, for example: wan=WAN, lan=LAN, opt1=Sync, opt2=DMZ. Check the config.xml contents directly to ensure a match.

If the interfaces do not match up exactly, firewall rules and other configuration items will appear to synchronize to the wrong interface on the secondary node. Additionally, this can also lead to failures in DHCP failover.

https://docs.netgate.com/pfsense/en...guration-synchronization-settings-xmlprc-sync

 

[wifi75]

Currently the situation is as follows:
the two PCs have the interfaces with the same name, idendiche!
pfsense master has LAN ip 192.168.1.1 so all devices in the network point as gateway to 192.168.1.1 and i would not change it.
The backup pc has IP Lan 192.168.1.244.
Can I create a virtual ip 192.168.1.1 on the master pc and then add to the master pc ip LAN 192.168.1.30 and the backup pc 192.168.1.40 and then proceed with the synchronization configuration?

 

[Neobin]

If I remember correctly I personally did change the IP of my master from .1.1 to .1.2 first (of course network/internet down for all clients), then I created the CARP VIP: .1.1 and gave my slave later the .1.3.

 

[Rares]

You should consider installing a Proxmox single node cluster on the physical machine and run PFSense only virtualized. In this way you just have to replicate the VM to the other cluster or periodic restore from a share a common Proxmox Backup Server or backup location.

Instead of 5 network card I would use one card with different VLANs for wan, lan etc... In my case the provider asks to keep the same MAC address on the WAN interface, an easy thing to do in VM Config.

You will have to set in place a mechanism that would not allow to run both VMs in the same time.

If you think it is acceptable you can have all the macines in the same cluster and have HA running.

 

[wifi75]

I have a problem the acme service and haproxy does not synchronize, why?

 

[Neobin]

I have a problem the acme service and haproxy does not synchronize, why?

Because they are packages and HA-sync has to be integrated/supported/handled (by the package developer/maintainer) by those themself.

 

[wifi75]

so what should i do?