 So I have a video that guides you through all the settings for setting up PF sense in AJ mode Which is actually what we have here And I wanted to do it this time because I did it with some virtual lab ones I had set up this time I want to do with some physical ones and point out that even the SG 3100 or the SG 1100 can do full HA now I was going to originally do it with this one I just didn't happen to have two of them as soon as we get them in stock. They seem to sell People we put a lot of these in you know people want us to configure them things like that But I did have a pair of 3100 So I wanted to talk about the physical layer of how to set this up and like I said This is supported on all the neck eight switches. It doesn't matter which ones you buy Frequently when you're doing HA Outside of the lab. It's going to be on their higher-end models and they sell a kit And we just actually installed a kit and a data center For a client. They wanted PF sense HA Seen the video follows video and we then finished up the details to get a whole lot of VLANs and everything set up So it can work inside of the data center in the rack and it's a great System how this works. Well, let's talk a little bit the physical setup that we have here So we have my laptop that's going to be plugged in behind the firewall we have the Unifi Sorry ubiquity edge switch 10x right here. It's not configured anything more than just default It doesn't need special configuration to make HA work. It's just that you do need this set up over here We have port one going to port one on the unifi edge which 10x port one going to port two on the unifi 10x They have to go to a common switch now I actually this is my laptop here with this thin black cable I plugged it into the edge switch because that would be proper fail over I could use the switch on these the problem is if I use the bottom switch and a bottom switch were to fail I would then lose access if you're using the bottom one than the top switch fails I would still have access so ideally you want both of these over here They also need to communicate with each other because they have to know if the other one still exists So that's an important aspect. This is all the LAN side right here So this is using the four port switch on these netgate sg-3100s for the LAN side We reuse the opt port so the opt port normally which may be used for like a way and two or whatever you want to use It for we have this set up as sink And then here are the two wan ports and the two wan ports are set up so that they feed right from this Completely basic just open it grab one out of the box net gear dumb switch This black cable feeds them now They also need to be in a switch for this configuration either at the back end or we're pretending our service provider only gives us one Cable so we have to put a switch in because this one cable feeds me the IP addresses that we need For this so it's multiple IPs coming across one cable You don't need anything special like I said I want to point out that you don't need to manage switch for actually any of this I just put one on the LAN side because it made more sense now I do have a Map I'm going to show you here right now So the way I can show you the physical layout here the layout and how it's set up inside of Like you know mapped out here. This is another way to look at it And this is actually from that same video I did before where we talked about having the sink port being a dedicated port between them or that you know whatever interface you want to dedicate to it and That keeps the firewalls in sync with each other That's a very important aspect refer back to the video to keep this video shorter I'm not going to go in depth on each one watch another video if you want more in depth on how to sync works But these are all the settings. We have the master at 69.94 on the way on on the LAN side 192 168 12 LAN side here dot three 69 81 but the VIP the shared IP address 192 I'm sorry 172 1669 20 and inside on the LAN side 192 168 11 So pretty basic setup that we have here and what I wanted to do is show the fail-over in action Show it actually working and show what IP address my computer has and how I can still ping both those switches So we're going to set up a series of pings to make this work So let me close all the windows that I have open and we'll jump into looking at the config a little bit more in depth All right We'll start here at the edge switch so you can kind of see what's going on So ports one two and three are occupied, but when we go over here like saying just you know It's all default everything's just kind of the out-of-the-box Configuration I just happen to have the edge which that's what I'm using it So it is better to have though on the LAN side if you're ever going to create VLANs a managed switch because you need to manage Switch to properly handle the VLANs different video for that So here is the secondary one secondary pf sense We can see all the IP address assignments and this one is at dot three and if we look at its cart failover status It's in backup mode So as long as it can see both of these it's going to be in backup mode And then we'll look at this one here. We just set the theme to dark on this to kind of distinguish between them. So one seven two sixteen ninety four one nine two one six eight one two the sink port here And if we go over here to status and we look at cart failover this one's in master modes So let's talk about the physical layer a little bit by looking at the pings So at the top you see me ping in one dot one So I'm banging away at that one then we have the master at one dot two and then we have one I two one six eight One dot three as a secondary one and now we're going to unplug one of these and show what happens. So Because these share that VIP address of one nine two one six eight one one That's what I'm pinging right now. So when I reach over in a plug I'm gonna get rid of so the main one is the top one So we're going to take out the main which will force the system into failover mode So we'll take this and just unplug the port now And we'll switch real quick over to here And we can see it stopped pinging on the two But three can keep pinging and by the way that quick without missing a beat, you know In I'll even plug it back in to show you here The failover was instantaneous This is why the sync port was so important because it's constantly syncing all the connections and it says all right And as soon as it realizes that the other one is gone The master is not in control of the network anymore it immediately takes that shared IP and drops it so you've watched it in real time and I know it's gonna be small, but you can watch me plug it back in and watch things come back up So actually we'll actually do this too So this one's gonna fail because it's not there this one will refresh the page because it's master But by the way, please note It's only doing master on the one I two one six eight one one because I didn't unplug the master from The other switch right here. So if you look at the other switch, this is the WAN feed So actually we'll go ahead and this goes into master to when I won't plug that one too. So I'll hold it here I'll pull this real quick and we'll just refresh the page Right refresh and you can see it's instantly master and we'll here hopefully hear that click. It's back in refresh the page It's gonna take it does take a second to go back, but the fail over is Immediately it says okay hurry up and do this it waits a few seconds further for it to establish it back and the same thing over here We're not paying still you can see a destination unreachable the pings are still going and you should hear the click It'll take a second because it's got a link established and get the same thing again So we're gonna be a second before that works, but please note We're not missing a beat on the main fit just like we want so, you know as far as the users go There's nothing going on. I'll take a second. I'll refresh the page here And it's probably just the edge switch waiting so actually refresh the page in the edge switch Okay, it sees everything. I start and see some data go across Refresh this page again. It's now in backup mode. Just took a second for the port to sync but back to our Council over here Here we are at the top Dot one never misses a beat and this is the important part now These don't work as a load balance. These are working completely as independent Of each other in terms of the secondary is doing nothing right now So it's basically like a hot spare warm backup. However, you want to phrase that but the main is doing everything That's why I took it out of the main. You'll notice nothing if you go and switch it away from the Backup one because the the backup one is it fails. It doesn't do anything. It's not handling It only is ready to handle and keeping everything aligned keeping all the states working keeping Everything ready in case the master one fails. So it stays in backup mode. This is different It's not like trying to share the bandwidth between them or anything like that. It's just in a backup mode But that's it. That's how the physical layer works for this. It's really quick that you know quick click done You now have Watched it fail over watched it go right back in place and it's that fast for the failover And covering in the physical layer. I think is a little bit more interesting That's why I did this but if you want to know how all this gets configured a matter of fact One of my staff members who had not done an h8 config I had him watch my video and he built this off the video and I had to change nothing So I was really happy you got it working right out of the box as I like I like when my videos get validated I tried my best to make sure they're completely accurate But then my staff sometimes will go through them and they verified absolutely every step was followed and everything worked Exactly as it did in a video and once again, you can do this with some 31 hundreds if you've got by a pair of these net gate 1,100 you can do it. I did it in my original video was done in my lab with a series of virtual PF senses It's supported in all the different PF sense ones and my guide like I said go ahead and watch that video I've got everything detailed out on exactly how to set this up and thank you Thanks for watching if you liked this video Give it a thumbs up if you want to subscribe to this channel to see more content hit that subscribe button and the bell icon And maybe YouTube will send you a notice when we post if you want to hire us for a project that you've seen or discussed in This video head over to Lawrence systems calm where we offer both business IT services and consulting services And are excited to help you with whatever project you want to throw at us Also, if you want to carry on the discussion further head over to forums at Lawrence systems calm where we can keep the Conversation going and if you want to help the channel out in other ways we offer affiliate links below Which offer discounts for you and a small cut for us that does help fund this channel and once again Thanks again for watching this video and see on next time