I setup opnsense HA with 2 servers, with proxyarp interfaces, but i have problem with proxyarp because both of opensenses advertise ARP from their interfaces and i had ARP confilect in my network and TTL expired in this problem(because some times master node found slave node mac address instead real mac address of IP),I tried resolve this problem with "Neighbors" and set the mac address of IP addresses statically.
but i found another problem ,in HA sync there isn`t any option for, master node sync "Neighbors" configs to backup node.
these are my questions:
1- can i use HA with proxyarp interface without set arp statically?
2- if i should use static arp, how can i sync "Neighbors" master and slave nodes?
For the 1st question: Can you use HA with Proxy ARP without static ARP?
Technically yes, but it's risky. In most cases, Proxy ARP with HA is unstable unless you implement some way of ensuring only the MASTER responds to ARP.
Quote from: alveston on July 09, 2025, 04:48:48 PMFor the 1st question: Can you use HA with Escape Road (https://escaperoad.org) ARP without static ARP?
Technically yes, but it's risky. In most cases, Proxy ARP with HA is unstable unless you implement some way of ensuring only the MASTER responds to ARP.
Syncing static ARP ("Neighbors") configs?As others have done, you can move away from Proxy ARP entirely and use CARP.
Quote from: alveston on July 09, 2025, 04:48:48 PMFor the 1st question: Can you use HA with Proxy ARP without static ARP?
Technically yes, but it's risky. In most cases, Proxy ARP with HA is unstable unless you implement some way of ensuring only the MASTER responds to ARP.
Yes, i have this problem , the master node ask mac address of a ip address that is in proxyarp subnet , the back up node answer it Owen mac and we have ttl expire , how can resolve this problem?
Quote from: alveston on July 09, 2025, 04:50:30 PMQuote from: alveston on July 09, 2025, 04:48:48 PMFor the 1st question: Can you use HA with Escape Road (https://escaperoad.org) ARP without static ARP?
Technically yes, but it's risky. In most cases, Proxy ARP with HA is unstable unless you implement some way of ensuring only the MASTER responds to ARP.
Syncing static ARP ("Neighbors") configs?
As others have done, you can move away from Proxy ARP entirely and use CARP.
i`m using CARP but i have problem
Quote from: MohsenB on July 12, 2025, 01:31:02 PMi`m using CARP but i have problem
So what is the problem, exactly?
Quote from: Patrick M. Hausen on July 12, 2025, 01:59:42 PMQuote from: MohsenB on July 12, 2025, 01:31:02 PMi`m using CARP but i have problem
So what is the problem, exactly?
i using the carp and proxyarp in same time on a interface but the backup node advertise mac address of ip addresses ,assigned to servers.
Can i disable proxyarp on backup node and enable it when it`s become master automatically ?
or
sync "Neighbors" between master and backup node?
Use Carp and Virtual IP address and put these virtual ip addresses in the same vhid group as Carp and they will move with master and backup.
Quote from: Monviech (Cedrik) on July 12, 2025, 03:45:34 PMUse Carp and Virtual IP address and put these virtual ip addresses in the same vhid group as Carp and they will move with master and backup.
i did this , but i have the problem yet.
My structure is same as below:
OPNSense Master:
DMZ IP:10.0.0.2/24 (switch port:1(PrivateVLAN Promiscuous VLAN ID : 100))
DMZ Proxyarp:10.0.0.0/24
DMZ CARP VIP:10.0.0.1/24 (vhid group:1 ,advskew:0)
LAN IP:192.168.0.2/24 (switch port:10)
LAN CARP VIP:192.168.0.1/24 (vhid group:2 advskew:0)
--------------------------
OPNSense Backup:
DMZ IP:10.0.0.3/24 (switch port:2(PrivateVLAN Promiscuous VLAN ID : 100))
DMZ Proxyarp:10.0.0.0/24
DMZ CARP VIP:10.0.0.1/24 (vhid group:1 ,advskew:100)
LAN IP:192.168.0.3/24 (switch port:11)
LAN CARP VIP:192.168.0.1/24 (vhid group:2 advskew:100)
--------------------------
Server
IP:10.0.0.100/24
Gateway:10.0.0.1/24
switch port:24 (PrivateVLAN Isolated VLAN ID : 100)
--------------------------
Client1:
IP: 192.168.0.100/24 (switch port:23)
Gateway:192.168.0.1
in above structure when a client wants to access "Server" through "OPNSense Master" , the "OPNsense Backup" send owned mac to "OPNSense Master" instead "Server" , and "OPNSense Master" can`t find the real server.
i resolve this problem with "Neighbors" and set "Server" mac address statically , but unfortunately , OPNSense doesn't sync "Neighbors" between nodes in HA.
i want to know ,can i resolve this problem without "Neighbors" ? or if i must do it by "Neighbors" how can i sync the nodes "Neighbors" configuration?
I'm wondering, what's the sense of Proxy ARP in your setup.
Quote from: MohsenB on July 12, 2025, 04:11:51 PMin above structure when a client wants to access "Server" through "OPNSense Master"
From the LAN or from another network segment?
Quote from: viragomann on July 13, 2025, 08:58:49 PMI'm wondering, what's the sense of Proxy ARP in your setup.
This is an example.
I have a /24 public ip subnet and i used it in isolated private vlan by proxyarp. its working with single opnsense without any problem ,but when i setup opensene HA and CARP ,i found this problem.
Quote from: viragomann on July 13, 2025, 08:58:49 PMQuote from: MohsenB on July 12, 2025, 04:11:51 PMin above structure when a client wants to access "Server" through "OPNSense Master"
From the LAN or from another network segment?
Both of them , from same or another segment, i have this problem.(I edited my example to represent the structure more clearly)
Because we are using isolated private vlan all servers can send their traffic to promiscuous ports , and the promiscuous port connected to opensense nodes (master and backup) ,so when two server want to connect each other, they must connect through opensense master node, but some times the slave node answer to master owned mac instead server .so, the master node can't find the server ,and can't send traffic to it.
But why do you need proxy arp?
The generic way to do this is to configure the IP address as an alias on the "outside" interface of the OPNsense system and use NAT port forwarding to forward to the "inside" server which uses an address from a completely different network, of course.
Or just route without NAT and place the entire "server network" on the interface to which the server(s) are connected.
Quote from: Patrick M. Hausen on July 14, 2025, 02:20:42 PMBut why do you need proxy arp?
The generic way to do this is to configure the IP address as an alias on the "outside" interface of the OPNsense system and use NAT port forwarding to forward to the "inside" server which uses an address from a completely different network, of course.
Or just route without NAT and place the entire "server network" on the interface to which the server(s) are connected.
We need public ips on servers,so we can't use portforward and NAT.
We are using isolated private vlan ,because the servers must not connect to each other directly in layer 2 and we control all traffic between servers by opnsense , so we are using proxyarp to don't wasted public ips and handle this solution.
Maybe a transparent bridge topology might suit your requirements better? I have no experience how this works with high availability. Maybe config sync plus bridging with spanning tree enabled (!) can do the trick, already. No CARP in this case.
I would do a lab setup to try that in your position.
Quote from: MohsenB on July 14, 2025, 03:14:27 PMWe need public ips on servers
Proxy ARP is not the proper way to achieve this though.
It just responses to ARP requests with the interface IP.
can i disable proxyARP on a opnsense while interface is enable, by cli?
You can just delete the virtual IP.