Hello! Could you please help. I've two opnsense firewalls in HA pair. But i don't use a carp technology, only dynamic routing. Should states are synced in that configuration? On this moment it's not.
States aren't synched with the CARP protocol, they are synced with pfsync protocol.
https://man.freebsd.org/cgi/man.cgi?pfsync%284%29
System: High Availability: Settings
Best use a dedicated interface as Synchronize interface between both firewalls, since there is high multicast traffic. Leave the "Synchronize Peer IP" empty. You have to create a Firewall rule that allows pfsync protocoll on both firewalls on the interface thats the Synchronize interface.
Please note that both firewalls need to have the exact same interfaces and the exact same interface names.
After you have configured pfsync on OPNsense, you can see what it's doing by "tcpdump -i pfsync" and also looking at the state table in both firewalls.
thank you for your reply. I've dedicated interface between two firewalls and i've create a pass rule for this interface, but states doesn't synced? What could be the problem?
"Please note that both firewalls need to have the exact same interfaces and the exact same interface names." I think this is the problem, I have different interface names.
Yeah if both firewalls interfaces arent literally the same names and the same configuration + same network drivers, don't use statesync. It will break states and won't work.
I've done all interfaces similar on both firewalls. But pfsync still doesn't work. tcpdump -i pfsync0 on both firewalls doesn't show any traffic. What could be the problem?
Screenshots of HA settings and fw rules please
FW rules on sync interface
HA settings
Can you try to point the Failover IPs of the other firewall instead of the multicast address?
i've rebooted one firewall and pfsync now works fine. Thank you for your support)