Hello,
I wish to migrate 2 PFsense 2.2.6 servers in HA setup, to OPNsense 16.1 (or 16.7 if timetable will shift).
Any thoughts or guide for the best way? Is there a way to export/import config?
Thanks in advance.
While OPNsense and pfsense are from similar base, they are not really interchangeable like that. You should export your pfsense config only as a reference, do not try to re-import it into OPNsense
You can still import individual sections and see if that works. Additional info here:
https://github.com/opnsense/core/issues/28#issuecomment-141755217
It may work, depending on your config.xml complexity. Good luck. Test in a VM. :D
Thanks for the input.
I'm in the middle of the migration, seems like 16.7rc2 is the only download so starting on that.
Not much could be imported from old config, so had a good cleanup - only aliases could be used, that was many lines of config I where saved from typing.
I'm using a Intel i350-T4 card and on PFsense (or the old FreeBSD) I had a buffer exhaustion in the kernel because of the load on the card with hardware offload.
I had these added to /boot/loader.conf
kern.ipc.nmbclusters="1000000"
kern.ipc.nmbjumbop="524288"
Do you know if they are still needed in 10.3, or mabee a better value?
Regards
There is also an older 16.1.8 image, but 16.7-RC2 is almost all of 16.7 so it's best to start there.
Wouldn't risk omitting the loader values, although it makes we wonder where you came from. pfSense 2.2.6 maybe? In that case e.g. from 10.1 to 10.3 not a lot has changed in FreeBSD as most of the network stack reworks are locked into FreeBSD 11 due to a larger rework/restructuring happening there.
Cheers,
Franco
This is my new project after I will finish with some implantation .
Have created a LAB and will test on a VM.
If any one has gotten this working would like to know if it even possible .
Yes, I came from pfSense 2.2.6.
I also think it will be best to keep the values in loader.conf, because we have 1 Gbps internet connection, and the netcard have alot of load on all 4 ports.
My migration goes well I have now both boxes (Lenovo RS140) up and running with 16.7r2.
All rules and configuration have been migrated, mostly by hand.
I have configured High Availability and it seems to work, the master can see the backup and show what services are running on it and configuration changes on the master are shown on the backup almost instant.
Fail over also seems to work, only one problem. On the master under Firewall/Virtual IP's/Status it says that it is master on ALL carp interfaces (all good here), but on the backup it says it is backup on almost all carp interfaces. The backup is also master on the WAN interface.
That shows in 2 ways, one if I ping one of our server from the WAN then i get a (DUP) reply on the ping, one correct answer from the master firewall and one DUP from the backup.
Second the backup can not check for updates our reach the internet because it uses the carp address, and then the master picks up on the answer.
I have looked both here (https://docs.opnsense.org/manual/how-tos/carp.html) and in the https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP) for ideas on if I have done something wrong. But everything seems to be configured correct.
The problem in both cases seems to be the backup being stuck in a faulty state. I'm guessing that a reboot didn't help.
I don't know how to debug this, Ad will be back tomorrow.
No, a reboot does not change a thing.
Shall I disable HA until furter notice?
Got to the last migration point, the OpenVPN server, got the configuration in and the service up and running and listening on the right port.
I can no find any client settings to export (client install packages). I have checked where it normmaly goes wrong and all seems right, I have created a Trust Authoritie, and with that I have created a certificate for the OpenVPN server and also a client/user certificate.
But no user to export, do you have some input?
For the certificates to show up the user certificates need to be assigned to the users and the OpenVPN server mode must be set to "Remote Access" with SSL/TLS in it.
Yes, temporary disable HA. Let us help figure out the issue out tomorrow.
Cheers,
Franco
Okay great, that makes sense and now I can se the users.
On the old platform, I did not create the users as the where external verified.
We discussed the HA issue and were wondering whether
(a) there is a typo in the VHID, or
(b) there is a policy/piece of metal between the two boxes that prevents them from able to talk CARP to each other on the WAN side.
Cheers,
Franco
Regarding
(a) Everything seems to be OK, the VHID where created on the primary firewall and synced to the backup when HA was enabled so whey should be the same.
(b) There is a cable between the two firewalls on a dedicated sync port on the NIC, in the firewall rules on both firewall under the "sync tab" is is ipv4 allow everything.
Regards
Very odd, does removing another CARP membership help?
What do you mean with "removing another CARP memebership" ?
Is this correct?
If I on the primary firewall click on "System / HA / Status" it shows:
Backup firewall versions
Firmware Base Kernel
16.7.r2-792f54c76 16.7.r-amd64 16.7.r-amd64
and so on.
If I do the same on the backup firewall, click on "System / HA / status" it shows:
The backup firewall is not accessible or not configured.
Is that right? Shouldnt it show that it is in a realtionship with the primary firewall?
Quote from: shade73 on July 25, 2016, 03:13:38 PM
What do you mean with "removing another CARP memebership" ?
It would be helpful to see whether this is a problem of multiple CARP setups interacting in a bad way (in our code), so reducing the CARP to the bad WAN scenario could give hints. I don't expect it to magically start working, but right now we don't know.
The backup not being configured I don't know. There are some people here using HA extensively, maybe they can shed a light. And Ad is our expert on HA. I cannot be of too much help.
Cheers,
Franco
Hi Guys,
I am more interested in migrating the OPENVPN users and certificate.
Firewall rules can reconfigure them.
I have backed up the openvpn configuration and upload it to a new OPNsense, unfortunately the users and certificate did not shows up even after couple of reboot.
Am I supposed to do something after import is successfully ?
Quote from: Julien on July 25, 2016, 09:31:26 PM
I am more interested in migrating the OPENVPN users and certificate.
I had to drop the certificates, pfsense and opnsense seem to have moved to far away from each other.
Quote from: franco on July 25, 2016, 08:46:24 PM
The backup not being configured I don't know. There are some people here using HA extensively, maybe they can shed a light. And Ad is our expert on HA. I cannot be of too much help.
Do you have a step for step guide to setting up carp/HA on OPNsense? I'm thinking on the small differences there where on the openvpn setup from pfsense to opnsense, if there is some differences here too.
Here you go: https://docs.opnsense.org/manual/how-tos/carp.html
Cant find anything off, no errors that stand out.
Do you think this will help me? https://www.deciso.com/business-support/ (as in they can solve the problem)
I think so, yes. :)
Could it be this? https://github.com/opnsense/core/issues/1100
No, it was not related to that in fact I had no errors in the HA setup.
I created business support ticket, and got help from Deciso. It was a good experience, very friendly and knowledgeable people. Jos helped me and found the cause quickly.
It turns out that our internet router with dual business connection, does not allow/accept the carp traffic between the 2 wan interfaces. Therefore can the secoundary OPNsense box not see that the primary WAN interface is up and thinks it is down and then puts its own as master and ends up with 2 masters on the WAN.
We have "injected" a switch between the OPNsense boxes and the internet router, and now it works just fine with failover and everything.
Hi,
I'm experiencing a similar issue. My backup-node shows:
"The backup firewall is not accessible or not configured."
While the master-node shows details about the backup-node. I always thought, that it's right like that, since the backup-node has no other backup-node and the config is always synced only from the master-node to the backup node. Or am I wrong?
By activating the OPNsense "help" on the HA-Config page it shows
"Do not use the Synchronize Config to IP and password option on backup cluster members!"
...so I assume the error message that the backup firewall is not accessible or configured is confusing, but not wrong? Right?
It would really be great if someone could clarify this issue.
Thanks in advance
CS