Hi,
I am running two OPNsense VMs (24.1.2_1) in HA on a vCenter cluster. I am using them mainly as a Wireguard server hanging off of a firewall, with a single virtual NIC per node and outbound NAT disabled. CARP and the HA sync seem to work perfectly after enabling Net.ReversePathFwdCheckPromisc on the ESXi hosts.
The one problem I have is that I currently only have a WG1 interface for Wireguard on Node1, but not yet on Node2, meaning that Wireguard doesn't fail over properly when the CARP master changes.
When I add the WG1 interface to Node2 under Assignments (with the same name and configuration) and trigger a config sync from Node1, the sync never completes and the "System -> High Availability -> Status" page fails to load completely afterwards. Simply rebooting the nodes or removing the WG1 interface from Node2 doesn't fix the problem, the only way I could find to repair the HA cluster was to restore a backup on Node2, then trigger a sync from Node1.
The Wireguard config itself is correctly synced before adding the interface and is set to depend on the CARP VIP.
Did I set something up in the wrong order? Or is there a mistake in my thinking?
Thanks in advance :)