I have configured my OPNsense HA on to servers master and backup, both firewalls indicate master and backup as it is suppose to be but the issue is that when I try to perform a sync to the backup firewall I get an error message saying backup firewall is not configured but I have. What could be the possible issue for this error also the master firewall was existing before I added the backup firewall but the CARP configuration was configured the same day.
Do you have a decicated sync interface? What are the firewall rules on that one? Did you change the "listen interfaces" for the UI? The primary needs to login to the UI/API of the standby ...
Yes the interface for the sync i have named pfsync with IP 10.0.0.1 for master and 10.0.0.2 for backup.
The rule I have for the pfsync on the master is the PASS rule pushing all traffic out.
By "listen Interface" do you mean the Virtual IPs ?
The primary needs to login to the UI/API of the standby ...
I don't get this last part can you breakdown the question for me please
The UI must listen on the HA interface. And the HA interface should have an "allow * * in" rule.
For the UI: System > Settings > Administration > Listen interfaces. Leave at "All (recommended).
How do you think the primary syncs the config to the secondary? It literally logs in as root via HTTP ...
1. The UI must listen on the HA interface. And the HA interface should have an "allow * * in" rule. : Yes that is what I have
2.For the UI: System > Settings > Administration > Listen interfaces. Leave at "All (recommended). : I have the same in my system
3. How do you think the primary syncs the config to the secondary? It literally logs in as root via HTTP
I don't understand this : Yes that is what I have done
So ...
- The UI is listening on the HA interface on the standby? Check with `netstat -na|grep LISTEN`
- The standby has got an "allow all" rule on the HA interface?
- On the primary you entered 10.0.0.2, root, and the root password of the standby in System > High Availability > Settings?
Then it should work. If it doesn't:
- Can you ping the standby from the primary on the HA interface?
- Run tcpdump on the standby, HA interface, UI port, to watch if the primary tries to connect at all ...
Yes i am able to ping
and also I can see logs when I run tcpdump command on my backup opnsense firewalls shell
I get
94 packets captured
96 packets received by filter
0 packets dropped by kernel
Please post screenshots of
- the HA interface configuration of both firewalls
- the HA settings on the primary
Black interfaces Primary
White Interfaces backup
same as above
dark interface Primary
white backup
same as above
dark interface Primary
white backup
NAT and virtual IPs are not relevant at the moment.
pfsync interface settings of the standby are missing.
HA settings (not status!) of the primary are missing. System > High Availability > Settings
HA settings for primary
Leave "synchroinze peer IP" at 224.0.0.240 - no need to change that. Rest looks good assuming the root password is correct for the standby.
Can you show the firewall rules on the pfsync interface of the standby, please?
i have attached the rule for the pfsync for the backup
In that case I have no idea. I have 3 HA pairs configured that way and they all work.
Does the standby have the same port settings for the UI as the primary?
yes it does
And the "The backup firewall is not accessible or not configured." message is from the primary?
Because on the secondary it is correct. The secondary does not itself have a backup firewall ...
Yes i get that error message on the primary
But also wanted to bring to your notice that the primary firewall was active way before but because we want to introduce HA that is why we are adding this secondary backup firewall so it is not a fresh setup all together > But carp configuration was do together for both firewalls can that be an issue ?
Quote from: cdsane on July 31, 2024, 01:25:22 PM
But also wanted to bring to your notice that the primary firewall was active way before but because we want to introduce HA that is why we are adding this secondary backup firewall so it is not a fresh setup all together > But carp configuration was do together for both firewalls can that be an issue ?
To my knowledge - no. What can and will be an issue is if the logical interfaces (LAN, WAN, OPT1, ...) are not created in the 100% identical order on both units.
You need to investigate the links in your broweser's address bar when clicking through the individual interfaces.
For example on one if my clusters the interface named "DMZ" has this link:
https://primary.my.firewall.com/interfaces.php?if=opt2
It is absolutely mandatory that the "opt2" part is identical on both units. This is BTW true for most commercial products, too.
Well noted