High Availability Firewall Solutions in Linux: CARP/pfSync Alternatives for Multi-WAN Failover


10 views

When designing a redundant firewall setup with multiple WAN connections, the physical interface requirements typically include:

  • WAN Interface 1 (eth0) - Primary Internet uplink
  • WAN Interface 2 (eth1) - Secondary Internet uplink
  • LAN Interface (eth2) - Internal network connection
  • Sync Interface (eth3) - Heartbeat and state synchronization

For Linux-based solutions, we have several robust options that provide similar functionality to FreeBSD's CARP and pfSync:

1. VRRP with Keepalived

Keepalived implements the VRRP (Virtual Router Redundancy Protocol) standard and can manage IP failover:


vrrp_instance VI_1 {
    state MASTER
    interface eth2
    virtual_router_id 51
    priority 101
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass secret
    }
    virtual_ipaddress {
        192.168.1.254/24 dev eth2
    }
}

2. Conntrack-tools for State Synchronization

To achieve state table synchronization similar to pfSync:


CONNTRACKD_OPTIONS="-d -C /etc/conntrackd/conntrackd.conf"

Example conntrackd.conf configuration:


Sync {
    Mode FTFW {
        DisableExternalCache Off
        CommitTimeout 1800
    }
    UDP {
        IPv4_address 192.168.100.1
        IPv4_Destination_Address 192.168.100.2
        Port 3780
        Interface eth3
    }
}

For handling multiple Internet providers, consider using policy routing:


ip rule add from 192.168.1.100 table 1
ip route add default via 203.0.113.1 dev eth0 table 1
ip rule add from 192.168.1.101 table 2
ip route add default via 198.51.100.1 dev eth1 table 2

A recommended stack would combine:

  • Keepalived for IP failover
  • Conntrackd for state synchronization
  • iptables/nftables for firewall rules
  • iproute2 for multi-WAN routing

# Check VRRP status:
journalctl -u keepalived -f

# Verify conntrack synchronization:
conntrackd -s

# Test failover manually:
systemctl stop keepalived

For those needing more advanced features, commercial solutions like OpenSVC or Linux-HA (Heartbeat) provide additional capabilities at the cost of increased complexity.

When building a redundant firewall setup with Linux, you typically need:

  • Two WAN interfaces (for multiple ISP connections)
  • One LAN interface
  • A dedicated sync/backup channel between firewalls

While CARP/pfsync are BSD solutions, Linux offers several robust alternatives:

1. VRRP with Keepalived

The most common solution is using VRRP (Virtual Router Redundancy Protocol) implemented via keepalived:


vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 101
    advert_int 1
    virtual_ipaddress {
        192.168.1.254/24
    }
}

2. Conntrack Synchronization

For state synchronization (similar to pfsync), use conntrack-tools:


CONNTRACKD_OPTIONS="-d -C /etc/conntrackd/conntrackd.conf"

Here's a sample configuration for a two-node setup:

Network Interfaces


# Node 1
eth0: WAN1 (ISP1)
eth1: WAN2 (ISP2)
eth2: LAN
eth3: Sync (direct connection to Node2)

# Node 2 (identical but different priorities)

Keepalived Full Configuration


global_defs {
    notification_email {
        admin@example.com
    }
    notification_email_from keepalived@example.com
    smtp_server 127.0.0.1
    smtp_connect_timeout 30
}

vrrp_sync_group VG1 {
    group {
        VI_WAN1
        VI_WAN2
        VI_LAN
    }
}

vrrp_instance VI_WAN1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 101
    advert_int 1
    virtual_ipaddress {
        203.0.113.1/24
    }
}

For true carrier-grade redundancy:

  • Use bonding for sync interfaces
  • Implement BGP for multi-homing
  • Consider using nftables instead of legacy iptables

Common issues and solutions:


# Check VRRP status
ip addr show
journalctl -u keepalived -f

# Verify conntrack sync
conntrackd -s