I have setup a pair of OPNsense fw ver 21.1 - I am hoping correctly :)
My HA pair appears to be working correctly:
Updates are being synchronized to the Backup when I click on the manual sync to Backup button on the Master
Disable preempt box is not checked on the Master
Disable preempt is checked on the Backup
Master HA STATUS shows the Master control detail stuff
Backup HA STATUS blue box states "The backup firewall is not accessible or not configured" - which is really misleading.
Master CARP vips show Master
Backup CARP vips show as BACKUP
Master skew 0
Backup skew 100
With both fw up and running, I run data traffic (SSH and continuous ping) through the firewalls, the Backup fw passes this traffic until the Backup is taken out of service which then -after a some delay- the Master passes the traffic. Once the Backup fw is brought back into service, -after some delay- the Backup takes over again.
I verify what is happening by doing packet captures. Reloading both fw doesn't change the outcome nor allowing the Master to load first.
Any ideas and or suggestions are welcomed ...... and yea I've been through the documentation multiple times.
Thanks
Frank
QuoteDisable preempt is checked on the Backup
Uncheck this. It doesn't do what you think it does.
From the CARP man page:
QuoteAllow virtual hosts to preempt each other. When enabled, a vhid in a backup state would preempt a master that is announcing itself with a lower advskew. Disabled by default.
The second sentence is your issue. The backup is essentially allowed to forcibly take over from a master with that box checked. You don't want that. Leave it unchecked on both boxes and let Master be master and Backup be backup.
Thank you for your assistance
Frank
adding an update ..... be back soon