I have a Multi-WAN with two internet connections. The first one is a fibric, connected to the first Switch. The second one is a VDSL. The fabric have some virtual (public) IP-addresses. The OPNsense is working in a Cluster of 2 Nodes. The Cluster is connected in our DMZ-Network and have 1 virtual IP.
We provide a second Cluster for the internal Traffic for our environment. Every network gets a smaller Subnet of 10.0.0.0/8 Network in one VLAN (e.g. 10.1.1.0/24).
I have Routing Problems to connect the second Cluster with the virtual IP 192.168.0.160 to the first Cluster 192.168.0.150. I check the first Cluster with one PC in the DMZ an I have a good connection with one or two pings failed.
I check the second Cluster with the same PC in another Subnet (no blocking everything), I get only one or two pings back from 1.1.1.1 or 8.8.8.8.
Version OPNsense: 19.7.6
If I create in the second Cluster a Gateway-Group with the real IPs of OPNsense in the first Cluster, I will get every response. If I use the virtual IP of the first Cluster, I get one or two responses (10 ICMP-Requests). What is the problem?
Grettings
Lars
WAN WAN
: :
: Ethernet : VDSL
: :
: -----------
: | Router |
: ------------
: |
-----------------------
| Switch (redundant) |
-----------------------
| |
| |
| | Multi-WAN with Backup
----------- -----------
| OPNsense |-----| OPNSense|
----------- HA-1 -----------
| CARP |
x.x.x.151| VIP x.x.x.150 | 192.168.0.152/24
---------------------
| DMZ |
---------------------
| CARP |
x.x.x.161| VIP x.x.x.160 | 192.168.0.162
----------- -----------
| OPNsense |---------| OPNSense |
----------- HA-2 ------------
| |
| |
---------------------
| Internal Net VIP |
----------------------
The problem is the vhid in the virtual ip.
Every Firewall-Cluster have the same vhid in our dmz-vlan. I changed the vhid of one firewall-cluster and it works.