Hi Gents,
I have two OPNsense firewalls on hardware that only has two physical NICs. I have two internet connections, each internet connection connected to one firewall.
There's no option to add an additional NIC to the firewalls, unfortunately. The goal is to eventually replace the firewalls with more suitable hardware. But that's a project for 6-12 months from now. My goal is an OPNsense in a high availability cluster. I want to be able to take a firewall down for patching, and firewall and internet will failover to the 2nd OPNsense firewall.
All of the OPNsense HA tutorials assume a 3NIC configuration. Can I accomplish the same on a 2NIC configuration? The setup is as follows:
My thoughts were that FW1 & FW2 would each have NIC1 dedicated to the WAN. NIC2 would be connected to an unmanaged switch, where I would use VLANs to split LAN and CARP traffic. What's your thoughts about this configuration? Possible? Would you make any changes? What would they be?
If you have a managed switch you can use VLANs to create as many internal networks as you like, including the HA link.
If the switch fails you will enter into a split brain situation, but your clients will be disconnected, too, so ... 🤷�♂️
If you want HA more for seamless updates without interruption than for actual component failure, that might be a viable approach.
Excellent. Thank you for the reply.
So, in my case ISP1 is connected to FW1. And, ISP2 is connected to FW2.
If ISP1 were to go down, is it possible to failover to FW2 and ISP2, even though FW1 is still up?
It should be possible with a routing protocol like BGP or OSPF. If the OPNsense implementation is flexible enough for that I do not know. Last time I managed world wide dynamic routing was with Cisco IOS.
Forgive me, and allow me to rephrase my question.
If ISP1 where to go down (and FW1 remains up), is it possible for OPNsense to route internet over ISP2, even though ISP2 is exclusively plugged into FW2?
With dynamic routing, yes.