Morning all,
I am in the process of beginning the build out of my second OPNsense node. Clearly I have some tasks related to the HA process, that I need to do on the second node. My question relates to all the services that are configured on the first node, like IDS/IPS, VPN, Firewall rules, NATs, etc. Can I just build out the first node completely and then sync configs to the second node? Will any plugins need to be installed on the second node explicitly?
Thanks,
Steve
You need to at least update to the same version as the production system, install all desired plugins, and create all interface configuration. It is critically important that you create the interfaces with the same names and in the exactly same order as on the production system.
So e.g. for my home setup:
[APP] opt8
[DSL] opt2
[LAN] lan
[RPI] opt5
[SRV] opt3
[WAN] wan
[WG0] opt6
[WG1] opt4
[WG2] opt7
[WIN] opt1
Switch e.g. the assignment of opt2 and opt3 to DSL and SRV, respectively and funny and hard to debug failures are going to happen.
Quote from: Patrick M. Hausen on March 26, 2024, 03:53:09 PM
You need to at least update to the same version as the production system, install all desired plugins, and create all interface configuration. It is critically important that you create the interfaces with the same names and in the exactly same order as on the production system.
So e.g. for my home setup:
[APP] opt8
[DSL] opt2
[LAN] lan
[RPI] opt5
[SRV] opt3
[WAN] wan
[WG0] opt6
[WG1] opt4
[WG2] opt7
[WIN] opt1
Switch e.g. the assignment of opt2 and opt3 to DSL and SRV, respectively and funny and hard to debug failures are going to happen.
Yes Patrick...I have seen the issues. I checked the Interfaces Overview and everything matches, right down to the loopback. I have all the interfaces ready on both sides and will install the plugins on the second node.
Thanks for chiming in soo quickly. These nodes are VMware virtual nodes, via a cloud provider. I have been fighting weird gremlins in the HA setup and finally decided to go back to square 1 and build out the nodes once again.
OK my first problem in getting this config running...
I cannot get the HA/Status screen up. It never shows up. I believe this is a cannot get the GUI of the other machine but not sure how to troubleshoot this.
Do you have a dedicated interface with a straight cable for HA? Can you ping the secondary node from the primary? Do you have "allow *" rules on both firewalls for the HA interface?
Figured it out...
As part of my build out of the first node I set the HTTPS port to 8443. Being I did not build out the second node it was defaulting to 443. So make sure your HTTPS port is the same on both nodes.
Now my last question...should Disable Preempt being checked or unchecked on the second node? I feel like it should be checked but its worded in a way that is confusing me.
A couple more questions...
1) I have set the primary node's advbase to 1 and advskew to 0. I have set the secondary node's advbase to 100 and left the advskew at 0. Is this ok?
2) I removed Virtual IPs from the sync process bc what I was noticing is that the VIPs on the secondary side would have their advbase and advskew changed back to the primary. This would take the secondary and think it was a master. Is this ok?
3) Should I be able to ping the VIPs associated with the interfaces? I have a PC that is part of a segment that has a VIP. If I ping the VIP I get nothing. I can ping the hard IPs without issue.