Text only | Text with Images

OPNsense Forum

English Forums => High availability => Topic started by: dnll on September 27, 2023, 04:34:28 AM

Title: 2 OPNsense routers
Post by: dnll on September 27, 2023, 04:34:28 AM
Hello,
I have WAN on my modem going to my first OPNsense box. I have another OPNsense box and I'm unsure how to proceed. What I want is to be able to patch/reboot one box without losing my network.
What is the best way going forward?
Thank you
Title: Re: 2 OPNsense routers
Post by: Monviech (Cedrik) on September 27, 2023, 06:47:24 AM
Is your modem connected via pppoe, or ethernet?
If you want to have help you have to post your basic network structure.

Also just as a tip, if its pppoe it's not going to work seamlessly. Also the failover with it (in my tests) was prone to wonky behavior. The patching of an opnsense takes like 2-3 minutes, in which the reboot maybe takes 1 minute. Only bigger upgrades every half a year take some more time. So you should think about if the usecase is really there. CARP and HA setups are quite complicated.

Here for a basic CARP HA setup: https://docs.opnsense.org/manual/how-tos/carp.html
Title: Re: 2 OPNsense routers
Post by: dnll on October 06, 2023, 06:05:20 AM
Quote from: Monviech on September 27, 2023, 06:47:24 AM
Is your modem connected via pppoe, or ethernet?
If you want to have help you have to post your basic network structure.

Also just as a tip, if its pppoe it's not going to work seamlessly. Also the failover with it (in my tests) was prone to wonky behavior. The patching of an opnsense takes like 2-3 minutes, in which the reboot maybe takes 1 minute. Only bigger upgrades every half a year take some more time. So you should think about if the usecase is really there. CARP and HA setups are quite complicated.

Here for a basic CARP HA setup: https://docs.opnsense.org/manual/how-tos/carp.html
I do get my main public WAN IP through PPPoE, although my ISP (Bell) also allows me to get a second public WAN IP if I don't go through PPPoE but use the modem-router DMZ instead. There is nothing else between the modem-router and my OPNsense box.

Obviously, the whole project is more for fun than anything else, I just happen to have 2 Sophos SG330 units, I kinda like the idea of having the backup unit in case hardware fails on the first unit, so why not setup high availibility. I did read the doc but I couldn't really make any sense of it, I just wish it could somehow be easier but I guess it isn't. I might just end up copying the config to the second unit and turn it off and just turn it on in case the first unit has issues.
Title: Re: 2 OPNsense routers
Post by: Monviech (Cedrik) on October 06, 2023, 06:26:10 AM
I'd like to know what you didn't understand in the doc, maybe your troubles can be cleared up easily.

There's 3 parts to HA:
- Creating a CARP Virtual IP for each Subnet
- Connecting a dedicated interface between both firewalls for State Synchronization pfsync (optional)
- Configuration Sync between master and backup. (optional)
Text only | Text with Images