The following recipe is the most involved recipe in this book; nonetheless, if you follow these steps painstakingly, setting up a CARP failover group should prove to be fairly easy.

The following diagram illustrates the new network topology. The fxp0 represents the WAN interface, fxp2 the LAN interface, and fxp1 the pfsync network:

As a preliminary step, the WAN interfaces of both firewalls should be connected to the router mentioned in the previous section. The upstream gateway of the new router should be your ISP:

1. We will begin by configuring the virtual IP addresses we need for a CARP group:
   
   1. Navigate to Firewall | Virtual IPs.
   2. Click on the Add button.
   3. Set Type to CARP:

1. 4. In the Interface drop-down menu, select WAN.
   5. In the Address(es) text field, enter the virtual IP for the WAN interface. Enter the subnet mask in the adjacent drop-down menu.
   6. In the Virtual ID Password edit boxes, enter the Virtual Host ID (VHID) password (in the second text field, re-enter it for confirmation).
   7. In the VHID Group drop-down menu, select the VHID Group for this interface (or just leave it set to its default value).
   8. In Advertising frequency, leave Base set to 1 and Skew set to 0. The lowest combination of Base and Skew determines who is the master, and since we are setting up the virtual IPs on the primary firewall now, we want this to be the master.
   9. Enter a brief description in the Description text field (for example, WAN virtual IP for CARP).
   10. Click on the Save button.
2. 11. Click on the Add button again.
   12. Set Type to CARP.
   13. In the Interface drop-down menu, select LAN.
   14. Enter the virtual IP and subnet mask for the LAN interface.
   15. Enter the password in the Virtual ID Password edit boxes. Since this is a different VHID group from the one for the WAN interface, it can be a different password from the one entered for the WAN VHID.
   16. Select the VHID Group, or just leave it set it its default value—pfSense should automatically increment the VHID Group number.
   17. In Advertising frequency, leave Base set to 1 and Skew set to 0.
   18. Enter a brief Description, (for example, LAN virtual IP for CARP).
   19. Click on the Save button.
   20. Repeat the process for as many interfaces you want to add virtual IP addresses.
   21. Click on the Apply Changes button:

2. In the next step, we will add a dedicated pfsync interface:
   1. Navigate to Interfaces | Assignments.
   2. In the Available network ports: drop-down box, select an unused interface.
   3. Click on the Add button.
   4. Click on the newly created interface’s name.
   5. Check the Enable interface checkbox:

6. 6. Enter a name in the Description text field.
   7. Select Static IPv4 in the IPv4 Configuration Type drop-down menu.
   8. If desired, select Static IPv6 in the IPv6 Configuration Type drop-down menu.
   9. In the IPv4 Address text field, enter an IPv4 address (and CIDR in the adjacent drop-down box).
   10. If necessary, enter an IPv6 address in the IPv6 Address text field.
   11. When you are done making changes, click on the Save button.
   12. Click on the Apply Changes button.

3. Next, we need to add a firewall rule for the pfsync interface:
   1. Navigate to Firewall | Rules.
   2. Click on the PFSYNC tab.
   3. Click on the Add button.
   4. Set the protocol in the Protocol drop-down menu to PFSYNC.
   5. In the Source drop-down menu, select PFSYNC net.
   6. Enter a brief description in the Description text field (for example, Allow PFSYNC to any rule).
   7. When you are done, click on the Save button.
   8. Click on the Apply Changes button.
4. The next step is to enable pfsync and XML-RPC:
   1. Navigate to System | High Availability Sync.
   2. Check the Synchronize States checkbox:

12. 3. In the Synchronize Interface drop-down menu, select PFSYNC.
    4. In the pfsync Synchronize Peer IP text field, enter the IP address of the pfsync interface on the secondary firewall.

12. 5. In the Synchronize Config to IP text field, enter the IP address entered into Synchronize Peer IP.
    6. In the Remote System Username text field, enter admin.
    7. In the Remote System Password text field, enter the password for admin (you must enter this twice).
    8. In the Select options to sync section, check off everything that should be synced.

9. 9. When you are done, click on the Save button.

5. Now we must perform manual outbound NAT configuration:
   1. Navigate to Firewall | NAT.
   2. Click on the Outbound tab.
   3. Select either Hybrid Outbound NAT rule generation or Manual Outbound NAT rule generation.
   4. Click on the Save button.
   5. Find the auto-created LAN to WAN rule and click on the edit icon (a pencil) for it.
   6. In the Translation section, set Address to the WAN virtual IP we created in step 1:

7. 7. Click on the Save button when done.
   8. Repeat the process for all non-WAN interfaces that will be replicated across firewalls (for example, DMZ).
   9. Click on the Apply Changes button.

6. Next, we must update the DHCP settings:
   1. Navigate to Services | DHCP Server | LAN.
   2. On the LAN tab, scroll down to Servers.
   3. In the Servers section, set the first DNS server to the LAN virtual IP created in step 1.
   4. In the Other Options section, set Gateway to the LAN virtual IP:

5. 5. Click on the Save button.
   6. Repeat the process for all interfaces on which DHCP is running, and which have virtual IPs.
   7. Click on the Save button. 

7. We have now completed CARP configuration on the primary firewall. The next step is to move to the secondary firewall and ensure that the settings are correct. Log into the secondary firewall, while keeping it offline for now:
   
   1. Make sure the virtual IPs we created in step 1 are duplicated on the secondary firewall:
      1. Navigate to Firewall | Virtual IPs.
      2. Duplicate the CARP virtual IPs we created in step 1 for the WAN and LAN interfaces, with one exception: the advertising frequency (Base + Skew) should be higher than the advertising frequency on the primary firewall.
      3. Save each virtual IP when done, and then click on the Apply Changes button.
   2. Add a firewall rule for the pfsync interface:
      1. This rule will have two purposes. First, it will allow the initial pfsync data to pass through the firewall. Second, it will (hopefully) be overwritten during the synchronization process, thus helping us to confirm that the synchronization process was a success.
      2. Add a firewall rule similar to the rule we created in step 3 on the primary firewall, but find a way to differentiate it from the primary firewall’s rule, so we will know it is overwritten (for example, change the Description to PFSYNC rule to be overwritten):

8. Now, we can activate CARP from the secondary firewall:
   1. Bring the secondary firewall online.
   2. Make sure the crossover cable provides connectivity between the pfsync interfaces of the primary and secondary firewalls.
   3. Navigate to System | High Availablity Sync on the secondary firewall.
   4. Check the Synchronize States checkbox.
   5. In the Synchronize Interface drop-down menu, select PFSYNC.
   6. In the Synchronize Peer IP text field, enter the IP address of the PFSYNC interface of the primary firewall.

7. 7. Click on the Save button.

9. Verify functionality of the failover group. Navigate to Status | CARP (failover) on both the primary and secondary firewall. If there is a button labeled Enable CARP on either side, click on it. Once you do, one side should be designated as MASTER and the other should be designated as BACKUP. To further test your failover group, disable the primary firewall and see how long it takes for the secondary firewall’s designation to change from BACKUP to MASTER: