This guide is brief and omits important considerations. You should read the hardware redundancy chapter in the pfSense book before configuring CARP.
From the Tutorials page:
This next part is a work-in-progress editing of the old tutorial. It may be right, it may take some work.
You need one real IP address for every CARP cluster host. So, if you want to have 2 cluster members, you will need 2 IP addresses for the real interfaces and then an IP for each virtual IP address. So in this case it would amount to 3. In the example shown to the right, the primary CARP clusters WAN IP address is 127.29.29.1 and the backup firewalls WAN IP address is 127.29.29.2. The primary clusters LAN IP address is 192.168.1.2 and the backup firewall's LAN IP address is 192.168.1.3.
We strongly advise using a dedicated interface for pfsync.
Set up each cluster sync interface, give it an IP address in the same subnet. Example: on the master cluster member enter 192.168.4.1 and on the backup cluster member enter 192.168.4.2 for the IP address. Use a /24 subnet.
Enable pfSync in Firewall -> Virtual IPs -> CARP settings -> Synchronize Enabled (check it) on all cluster members.
-> Synchronize Virtual IPs [ X ]
-> Synchronize to IP [ insert Slave IP ONLY on Master! ]
-> Remote System Password [ do not forget! ]
Select the dedicated Sync interface with the Synchronize Interface dropdown on all cluster members.
Afterward visit Firewall -> Rules and add an allow all from any to any rule on each cluster member for the newly created pfsync interface.
Now on the master cluster member add a virtual IP addresses of the CARP type in Firewall -> Virtual IPs. Make sure that the virtual IP addresses fall within the same subnet of an IP address defined on real interface (WAN, LAN, OPT1, etc.). You need to dedicate a unique VHID per shared virtual IP address. The lowest skew states that the host should be a master. The XMLRPC process will automatically add +100 to each host while syncing. So we recommend setting the skew to 0 on the master hosts CARP virtual IPs. pfSense will handle the rest.
Now set the same Admin password and protocol for the webConfigurator (HTTP/HTTPS) on each cluster member
On the master cluster member, visit Firewall -> Virtual IPs -> CARP Settings and enter the 2nd cluster members sync ip address (earlier in example was 192.168.4.2). Afterwards, enable all sections you want to sync (Synchronize rules, Synchronize aliases, Synchronize nat, ..*). This will automatically push configurations from the master cluster member to the backups. Click save. You should see the virtual ip addresses automatically synchronized to the backup hosts
Enable advanced outbound NAT in Firewall -> NAT -> Outbound -> Enable advanced outbound NAT. Click save.
Edit the automatically added rule for LAN. Pick a shared CARP virtual IP address as the Translation IP address. Give the item a description and click Save.
On both firewalls, visit Services -> DHCP Server. Click on the LAN tab. Set the default gateway to 192.168.1.3. Click save.
It also may be a good idea to enable failover DHCP. Enter 192.168.1.2 in the failover peep box on the primary and 192.168.1.1 on the backup server. Click save.
Visit the backup cluster member and verify that NAT, Virtual IP's and rules have been synchronized correctly.
Finally on the backup host, visit Firewall -> Virtual IPs -> CARP settings -> and enable "Synchronize Enabled" and make sure that your pfSync interface is correct. Click save.
That's it! Enjoy your failover firewall solution.
If you have a Virtual Distributed Switch, you can make a port group for the firewall interfaces with promiscuous mode enabled, and a separate non-promiscuous portgroup for your hosts. This has been reported to work by users on the forum as a way to strike a balance between the requirements for letting CARP function and for securing client ports.
Be sure to use e1000 NICs (em(4)), not the ed(4) NICs or your CARP VIPs will never leave init state.