CARP and PFsync for PF Firewall

I'm seeing lots of PFsense posts here. Anyone have a redundant PF setup using anything that hosts PF? Do tell. In your oppinion, is it worth it for a home network?

PFsync looks kinda cool. Might be nice to have redundancy so you can take down a firewall for maintenance without discontinuity of service. Probably overkill (and expensive; roughly $200 USD per unit) for personal home network but great coolness factor. The PC Engines APU1D4 (with RealTek NICs) and APU2C4 (with intel NICs) both have three Gigabit Ethernet NICs. Could use the third to PFsync between two or more units.


I use 2 Pfsense firewalls that sync between eachother at work.

Both are running on some oldish HP servers with an Intel Nic added in each. 1 Line from the ISP goes into each one, then they are connected together, then 1 line from each goes into the core switch.

Very cool. Have you tested or witnessed it's failover capabilities? Will service continue without interruption if one firewall is disconnected or goes down?

Yes. But not in a "real world" test. After I set the 2 FWs up, I set up a laptop and started pinging google, then unplugged FW1 I lost 2 pings before FW2 took over.

I am honestly unsure if the swap happened during normal business hours if anyone would even notice.

Good info. Thanks for the input.


I've looked into this for home but gave up because it sounded like I would need at least 3 public IPs - one for each pfsense box external interface and one virtual. Is this true? If so are there workarounds?

I believe you can Connect the wan port of a non-managed switch, if it has one, to your cable or dsl modem, then plug one leg of each firewall into the switch. A non-managed might be simpler cause a managed switch might require filtering from the modem side. (Anyone with experience with this?) I would also connect another leg of each firewall into your home switch. Does that make sense? If not, I'll try to draw it up.

For me, my isp is expecting a device with particular MAC address to be plucgged into my modem. To make this work, I would have to either hack the Mac on the wan port on the modem facing switch or call up isp and have them change.


My words are imprecise. I found this drawing that might make things clearer.

My bad. You are correct. Three public IPs would be required.