OPNsense Forum
Archive => 20.1 Legacy Series => Topic started by: BambosD on February 21, 2020, 06:56:05 pm
-
Hello to everyone,
I have managed to setup CARB on Sync interface and also on 2 LAN networks with Virtual IP's and DHCP Service etc. (Including WAN i'm using 4 ethernet interfaces - 1 onboard, 2 on PCIex,1 on PCI)
My issue is on WAN side, i have an FTP Server on a single public IP, port forwarding to one of my LANs, having the 2nd LAN isolated and safe from outside. (Not VLAN, 2 different physical interfaces going to 2 different switches), and all FTP clients know this single public IP.
Is it possible to make High Availability setup using 2 OPNSense hardware on a single WAN IP ? I have /29 from my ISP, but this seems to not help. A test i already made is setting the WAN IP on both systems, but there is a conflict between them because both systems are trying to get the same public IP, causing the gateway to not responding on the master, even if the backup machine is on backup mode. Can't set the second public IP on WAN available from my ISP, because of the FTP Server already running with several clients sending to the known public IP as of today.
If there is no high availability solution for a single WAN IP, then there is no need for me to setup high availability, and the best thing to do is to have second hardware available with imported settings from the main unit. And if something happen i will do the change over manually.
What are your recommendations ? Is there anything else i can do ? Is there any way to have high availability from single WAN IP ?
Thank you.
-
I'm not sure, if it's possible.
Maybe you can try to setup each box with "invalid" IPs and only the CARP is your public "valid" IP. But didn't try that.
-
It is possible to configure a CARP address that does not fall in the network range(s) of the interfaces used, but it has downsides, especially on a WAN interface.
If your only usable public address is the CARP address, only the master fw will have outside connectivity out of the box.
While you could use some trickery, using a gateway monitoring with a (directly connected!) upstream WAN address and a LAN CARP address with lower priority, such that outbound traffic from the slave would use the LAN address of the master as upstream gateway, you simply should not. Such a setup is hardly maintainable. You will get way more admin-caused malfunctions than you could expect to have hardware failures, and debugging will become almost impossible. Just don't.
But you say you have a /29 from your ISP. Standard setup would be to assign a different address from that range to each WAN interface, and use a third address from that range as the CARP address. Is this not possible in your case?
If your FTP server IP is not from that /29, then do the standard setup from above and add the FTP server IP as an additional CARP address.