In preparation for a OPNsense Rollout I am testing the High Availablity setup with VirtualBox.
In short I can not access the WAN from the LAN even tho the OPNsense nodes can.
Following the documentation https://docs.opnsense.org/manual/how-tos/carp.html (https://docs.opnsense.org/manual/how-tos/carp.html) I came up with this setup:
| 192.168.178.0/24 | | | | 192.168.1.0/24 |
| / | 192.168.178.151 WAN | VM OPNsense1 | 192.168.1.1 LAN | \ |
| FritzBox/AVM Router | - | 192.168.178.10 WAN VIP | CARP | 192.168.1.10 LAN VIP | - | VM Debian Test Client |
| \ | 192.168.178.152 WAN | VM OPNsense2 | 192.168.1.2 LAN | / |
There also exists a direct connection between the two OPNsense VMs for pfSync (10.0.0.1 and 10.0.0.2).
I summed up the behavior in this list:
- The syncronisation seems to work.
- I can't access the internet or the WAN on the Debian client and my reqests don't show up in the firewall log
- Pinging the OPNsense nodes directly works.
- I tried to ping the LAN VIP and got no response.
- However using arping i get a response from this address.
- Furthermore DNS resolve works on 192.168.1.1 and 192.168.1.2 but not on 192.168.1.10
(http://debian_ping.png)
I could not find any helpful information regarding this issue and would be grateful for help and hints. ;)
I solved the issue, for all other people struggling with the same problems:
- In the WAN interface configuration on both OPNsense machines make sure that Block private networks and Block bogon networks are not activated!
- In the configuration of the Hypervisor (VirtualBox) make sure all OPNsense network interfaces are allowed to use the promiscuous mode!