OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: skywalker007 on October 31, 2019, 12:18:21 pm
-
After my OPNsense died last night (complete SSD failure), I decided to build a cold-standby system.
I don't want to run CARP, I am fine with a manual failover.
Can someone confirm this is a good setup?
Primary firewall (4 NICs) auto backup ever day.
Second firewall, only primary NIC connected, minimal configuration with some IP so it can reach internet and run updates.
So everytime I update my primary, I would power-up the spare unit and update it as well.
Once the primary fails, I import the config to the spare device, plug-in all NIC cables and it should work?
I assume I manually have to deploy all plugins, or is that part of the backup?
thanks!
-
Nothing wrong with your plan, and kudos for having a plan! My cold spare plan is slightly different, but it works for me because maybe my configs don't change as often as yours.
My cold unit is configured exactly like the live unit, same OPNsense version and configuration file. Then powered off and left that way. If/When the live unit blows up, I or anybody else can simply swap the cables and power on the cold unit to get things working again. The cable swapping person doesn't need to know how to log in and upload a configuration backup. Once internet has been restored, the cold-now-live unit can have its' OPNsense updated and a more recent config imported, if necessary, after working hours when it won't affect anybody.
Also, when major updates are due, e.g. 19.1.x to 19.7.x, I usually do a fresh install on the cold unit then switch over to it as the live unit and leave the live-now-cold unit alone in case something is found totally broken on the new version. Swap the cables back and I've reverted to a known working unit.
-
There is also a plugin to save your configuration file to Google drive on a cron job.
Bart...
-
Thanks for your input. Really helpful.
-
I have another question on the same topic.
I bought a second machine from the same vendor (Qotom) and realized they changed the mainboard.
So now my primary machine has "em" Intel NICs and the second one has "igb" based Intel NICs.
With that I assume there is no easy way to sync the configuration from primary to the cold stand by.
Any ideas how to tackle that?
I googled a bit and found that freebsd 12 seems to unite the two drivers into a new one.
I assume that would also bring identical NIC names on both systems.
But so far OPNsense is based on freebsd 11.
thanks, Till
-
Answering my own question here:
So I got a good workaround which is a short script that uses the exported config.xml, searches an replaces the em interfaces with igb interfaces and then import this.
That kinda works.
The only thing which I miss here is that I have to install all plugins manually on the backup firewall. Some kind of "you have configs for plugins XYZ, do you want to install those?" would be great.
Nevertheless, I have a working process now.
-Till
-
Your plan is fine and at least you have something.
But why not run a HA set up with CARP?
I have done so with pfSense for 5 years and it’s great. And you don’t need to be messing with configs and worrying about manually keeping everything in check.
-
Your plan is fine and at least you have something.
But why not run a HA set up with CARP?
I have done so with pfSense for 5 years and it’s great. And you don’t need to be messing with configs and worrying about manually keeping everything in check.
Maybe you are right. I wanted a cold Standby. Avoiding both machines running at the same time and consuming energy. I can live with an hour recovery time. So I thought cold is sufficient in my case.
-
Your plan is fine and at least you have something.
But why not run a HA set up with CARP?
I have done so with pfSense for 5 years and it’s great. And you don’t need to be messing with configs and worrying about manually keeping everything in check.
Maybe you are right. I wanted a cold Standby. Avoiding both machines running at the same time and consuming energy. I can live with an hour recovery time. So I thought cold is sufficient in my case.
I understand RE energy usage. But unless your hardware is massively over specced then i'd expect power consumption to be minimal.