Messages

Hello,

I've a similar config, no issue with VLANs but with CARP/HA. Can you tell me if it behave the same for you ?

Config is :
- 2 WAN with a gateway group
- CARP configured for WAN/LAN

When my first WAN goes down, it does no use the second one, but CARP is taking the advantage and all my traffic is handled by the second OPNSense.

Thanks in advance if you can tell me how it works for you...

Heya, a fellow painstaker... Yeah, behaves the same, and I think it is the "correct" behaviour. I will tinker a bit with it later on and will share my information, my idea is the following: CARP1 has WAN1 als T1 and WAN2 as T2 and CARP2 has WAN2 as T1 and WAN1 as T2.
I guess MultiWAN and CARP need to be updated, because this scenario is highly undocumented.

For naybody who may come into the same problem: the firewall rules (the access to all rule) need to be changed to gatewaygroup, but a rule has to be added also - and this one does not use "gateway group" as gateway, but the standard asterix, and this one must towar all VLANs. Me is dumb, thank you.

So my Setup was basically this:
Fritzbox with DSL.
Two OPNsense connectect to the Fritzbox, both in CARP HA setup - working fine:
https://www.thomas-krenn.com/en/wiki/OPNsense_HA_Cluster_configuration
A Mikrotik Switch connected to the OPNsenses and everything else, including WiFi-AP.
The OPNsense had 12 networks with the repective interfaces: LAN, WAN, CARP, VLAN10,20,...90.
I have Unbound DNS running for my naming solution.
Until here everything is working fine.

Now I added a seceond WAN port on OPNsense 1, which stands for a second Gateway - MultiWAN setup to get additional Redundancy - have a mayor incidence with my DSL provider. I used the following guide mostly:
https://docs.opnsense.org/manual/how-tos/multiwan.html
It is working fine for my LAN, but all my VLANs are not working. I have done the following:

• Add the second gateway and make it work - when I did this I did not check the VLAN functionality. I assume it is not working. But LAN is working fine, so the gateway is doing its job (It is a Fritzbox 6820LTE, but will be replaced soon). In the same step I added monitoring IPs (DNS of quad9) and unchecked "Disable Gateway Monitoring" and "Mark Gateway as Down".
• Creating a gateway group, adding trigger, priority and tiers
• Changing the "Default Access to all rule" of LAN and a first VLAN to Gateway group from *
• I did not change DNS under System ‣ Settings ‣ General because I use Unbound (tried this ofc, does not fix my error)
• I allready had a DNS allow rule, because I also have a "disallow external DNS" (to avoid devices use not Unbound)

So, after I ahve done all of this I can access the Internet and everything in Lan, but nothing in VLAN. What do I miss, where to look? I can ping the VLANs from the respective OPNsense (Interface Diagnosis). I cannot access the respective "other" Fritzbox, only the active one which is connected to my current Gateway.

Uhm, thank you, but what should I look here for? The WiFi is as I said an Omada Controller controlled EAP 660 HD, which fully supports VLANs, and which is fully working for everything else (like sharing Filesystems accross VLANS/LAN, getting access to internet or not, according to the rules of the respective VLAN in the OPNsense Firewall). WiFi is working quite okay, don't know what to check - and I can access the printers WebUI, as mentioned before.
Any suggestion where to check logfiles?

Heya!
I have some issues with my VLAN-setup.
My Setup be the following:
2 Dell PowerEdge R210 with OPNsense 21.7.5-amd64 behind a Fritzbox, Failover with Carp, LAN, WAN, CARP, several VLANs
As Switch a Mikrotik CRS328 is used, as well as a TPlink EAP 660 HD WiFi Accesspoint
A Canon printer works for paperwork and is attached to the network via WiFi.
I have several VLANs, in which I segment groups of devices, for example mobile devices, devices of the kids and so on. Some of these VLANs are also available as different WLANs via the AP.
Until recently I did not yet move my printer into one of the VLANs, it was still in my LAN, and it was accessible from every VLAN that had access via Firewall rules to LAN. Now i moved my printer to a VLAN which has access to the internal VLANS and LAN, but not to the Internet. I cannot access the printer anymore in menas of "printing services", but I can access the web ui of the printer.
I googled a bit and found the MDNS repeater plugin, installed and configured it on both OPNsense instances for all respective networks (LAN and two VLANs, one with the printer in it, the other for mobile devices),  and added the needed firewall rules in the two VLANs (LAN has "access all" default rule:
Pass    IPv4 TCP/UDP    VLANx    5353    224.0.0.251/24
Pass    IPv6 TCP/UDP    VLANx    5353    ff02::fb/64
But I cannout find the printer in any printer dialog from any other network. What should I do for troubleshooting?

Huhu, wie kann man hier ein Thema als gelöst markieren?
Die Lösung ist recht einfach. Man muss DHCP auf beiden Geräte konfigurieren und aktivieren und danach synchen - nicht auf dem MAster und dann auf den Backup synchen. Muss man wissen. Nunja. Danke!

Klar, gerne, alles was hilft!
Das hier ist vom MAster, bis auf die andere Failover-IP ist das identisch. Fehlt noch was bzw. was soll ich noch liefern?

Huhu, ich muss das nochmal hochholen. Wie krieg ich DHCP auf den VLANs sauber aktiviert?
Ich richte die VLANs mit Carp folgendermassen ein:

• VLAN hinzufügen *2
• Interface assignen *2
• Interface aktivieren *2
• VIP aktivieren *1 (nur auf dem Master)

Dann kommen die Firewall Rules:
Kopie der "Default Access Rule von LAN für VLANs und Outbound NAT.
Dann synche ich den Master zum Backup.
Wenn ich da rein jetzt einen Rechner hänge, kann der sauber seine beiden OPNsense pingen und hat DNS und Route ins Internet. Wenn ich jetzt aber DHCP4 auf dem Master aktiviere und dann synche und dann daran einen Rechner hänge, kriegt der keine IP und kommt nicht ins Internet (logisch).
Der DHCP Status sieht dann wie folgt aus:

Code Select Expand


dhcp_lan (LAN) normal 2021/07/09 16:54:30 UTC normal 2021/07/09 17:03:11 UTC
dhcp_opt2 (VLAN_10) recover 2021/07/09 17:03:11 UTC unknown-state 2021/07/09 17:03:11 UTC

Das passt auch zum log:

Code Select Expand


2021-07-09T19:06:58 dhcpd[48361] DHCPDISCOVER from 00:15:58:80:31:82 via bce1_vlan10: not responding (recovering)

Was ist hier falsch konfiguriert? Ich bin mir sicher das es an meiner Dummheit liegt...

CARP funktioniert, ja. Ich kriege saubere IPs per DHCP, kann mich mit festen IPs im NEtz befinden, Failover funktioniert und Upgrades funktionieren.
Ich habe CARP auch auf dem WAN Interface aktiviert, inkl manueller Outbound NAT rule generation LAN net -> WAN. Brauche ich eine solche Regel auch für das VLAN?
Meinst du mit der CARP IP die VIP vom Typ CARP die die beiden VLAN-IPs "zusammenführt"? Wenn ja, dann ja. Mein VLAN_10 sieht genauso aus wie LAN, mit Ausnahme der NAT rule. Hab wirklich jede Einstellung doppelt überprüft. Ich probier das mit der NAT rule mal aus.

Edit sagt: Danke! Genau das wars. Ich sollte mal merken das GENAUSO halt eben auch GENAUSO meint und nicht genauso bis auf einen Unterschied. Dum Dum dum. Danke!

Ich hab das jetzt mal umgesetzt (bevor ich hier wieder reingeschaut habe).
Ich "glaube" das beide OPT3 hießen bevor ich den passenden Namen vergeben habe, ansonsten bin ich quasi genauso vorgegangen. Ich kriege auch per DHCP eine IP zugewiesen wenn ich mich an eine entsprechend getaggten Port vom Switch hänge (an der Konfiguration vom Switch habe ich nichts geändert). Allerdings behauptet KDE "You seem to be connected to a network but not to the internet" - per ping heise.de laufe ich auch in einen timeout, obwohl er die ip ganz offensichtlich auflösen kann:
ping heise.de
PING heise.de (193.99.144.80) 56(84) bytes of data.
Nur dann kommt eben nichts mehr. Firewall-Regeln sind analog zu LAN angelegt, DHCP sieht aus wie LAN (halt verschiedene Netze, aber prinzipiell gleich) und eigentlich sieht VLAN_10 wie LAN aus. Wie nähere ich mich dem Problem?

Und die VIP lege ich vom Typ Carp an, als VHID nehme ich was freies (sinnvollerweise die VLAN-ID?), und DHCP aktiviere ich ganz normal, nur als Gateway nehme ich die VIP statt "leer"?
Frage lieber bevor ich was "dummes" tue, danke schon mal!

Heya, ich betreibe 2 OPNsense Installationen und habe diese via CARP zum HA-Failover-Cluster verbunden, dabei folgte ich diesen Anleitungen:
https://www.thomas-krenn.com/de/wiki/OPNsense_HA_Cluster_einrichten
https://docs.opnsense.org/manual/how-tos/carp.html
Bevor ich HA umgesetzut habe, hatte ich schon eine einzelne OPNsense Installation inklusive VLANs - die VLANs würde ich gerne in meinen HA-Cluster integrieren. Leider finde ich dazu keinen vernünftigen Guide oder Beispiele. Kann hier jemand unterstützen?

Sorry for my late reply, I just dumped the goram Switch and jumped the rope over to a decent one (a Mikrotik CRS 328, which suits my needs far better and is easier to handle. Thank you nevertheless for your help!
In the meantime I have killed my OPNsense and replaced it with... well, two OPNsenses in HA mode - I just love this capability of the OPNsense. But with new possibilities there are new questions: How do I do VLANs in an HA scenario? The documentation about this is sparse, to say the least. Sparse in non existent or nearly impossible to find. From what I have found I learned to basic things:
VLANs aren't synchronized from the Master to the Backup and I need some kind of VIPs. Is there any documentation or howto about it? I'd rather avoid "trial and error"...

Here are my rules:
(I have two rules, this is just the IPV4 rule, the v6 is the same, but different tcp/ip version ofc

Well, I tagged every port (that is currently in use) for the respective VLAN ID to make it easier at the moment, so - yes it is tagged. I also believe that this tagging is working, because I can ping the respective 10.2.0.1 "gateway" IP of the VLAN from my default VLAN (1) which is 10.10.0.x. - the diagnosis part is that whats difficult here - how to know what is wrong and whats not. Any help much appreciated.