Text only | Text with Images

OPNsense Forum

English Forums => High availability => Topic started by: Elia99 on July 18, 2024, 09:57:24 AM

Title: Upgrade OPNsense HA cluster remotely
Post by: Elia99 on July 18, 2024, 09:57:24 AM
Hello, is there a way to upgrade an OPNSense HA cluster remotely? I haven't find much for this topic in the forum
Title: Re: Upgrade OPNsense HA cluster remotely
Post by: Patrick M. Hausen on July 18, 2024, 10:22:01 AM
https://docs.opnsense.org/manual/how-tos/carp.html#example-updating-a-carp-ha-cluster
Title: Re: Upgrade OPNsense HA cluster remotely
Post by: Elia99 on July 18, 2024, 10:47:18 AM
Thanks Patrick, I have already read the manual section about carp upgrade. For me, it isn't very clear, let's take the first step:

QuoteUpdate your secondary unit and wait until it is online again

How can I update the secondary unit, if it has a gateway which is marked as "offline"?
Currently I have the primary node which is the master, everything is running nice and smoothly, but secondary unit gateway is marked as "offline" and upgrade from GUI or CLI isn't working, so I can't follow those steps to upgrade remotely.

Any hint?
Title: Re: Upgrade OPNsense HA cluster remotely
Post by: Patrick M. Hausen on July 18, 2024, 10:50:04 AM
In all my HA setups both units have a valid and working gateway. Each unit needs its own IP address on WAN of course. So I guess you should start with investigating and fixing that problem.
Title: Re: Upgrade OPNsense HA cluster remotely
Post by: Elia99 on July 18, 2024, 11:14:04 AM
Thank you very much! This info is crucial, I'll try to investigate and fix it, thanks again Patrick.
Title: Re: Upgrade OPNsense HA cluster remotely
Post by: Elia99 on July 18, 2024, 12:44:25 PM
Patrick, could you tell me how do you make both gateway working and online on your setups?

I followed this guide to configure CARP and HA:

https://docs.opnsense.org/manual/how-tos/carp.html#
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-ha-on-opnsense

But all the times I create an HA cluster, in the end I have primary node (master) with online and working gateway and secondary node (slave) with offline and not working gateway.
Title: Re: Upgrade OPNsense HA cluster remotely
Post by: Patrick M. Hausen on July 18, 2024, 12:48:17 PM
How exactly does your Internet uplink work? You need at least a /29 from your ISP for "proper" HA (with IPv4).
Title: Re: Upgrade OPNsense HA cluster remotely
Post by: Elia99 on July 18, 2024, 01:27:19 PM
Yes, I have a x.x.x.x/29 public subnet, both firewalls have a fixed public IP on their corresponding WAN interfaces, then there is a WAN Virtual IP configured.

I linked some screenshots about it:

https://postimg.cc/gallery/NBbgBNf (https://postimg.cc/gallery/NBbgBNf)

I really don't know what to check, I'm struggling here.
Title: Re: Upgrade OPNsense HA cluster remotely
Post by: Patrick M. Hausen on July 18, 2024, 01:36:06 PM
1. Why are you setting a monitor IP?
2. Your NAT rule tries to NAT all outbound traffic including everything from the firewall itself.

Change the NAT rule from

Source: *

to

Source: an alias that sums up all your internal networks

HTH,
Patrick
Title: Re: Upgrade OPNsense HA cluster remotely
Post by: Elia99 on July 18, 2024, 03:45:01 PM
Quote from: Patrick M. Hausen on July 18, 2024, 01:36:06 PM
1. Why are you setting a monitor IP?
2. Your NAT rule tries to NAT all outbound traffic including everything from the firewall itself.

Change the NAT rule from

Source: *

to

Source: an alias that sums up all your internal networks

HTH,
Patrick

It works! Thank you so much Patrick, you made my day!
Text only | Text with Images