OPNsense Forum
English Forums => High availability => Topic started by: spider on April 12, 2022, 05:59:21 am
-
Hi all,
Do all interfaces need a Virtual IP address?
I've just completed installing a high availability configuration and a OpenVPN client seems to be on-line for a couple of minutes, off-line for a couple of minutes and back on-line again.
The OpenVPN server is on a Linux host and not on the OPNsense host, so the traffic is passing through the OPNsense host. The OPNsense host has a client connection to the OpenVPN host to allow traffic to LAN hosts to access the VPN hosts and has an interface for this OpenVPN client.
There is also a guest subnet for Wi-Fi clients that is connected to both in the HA cluster, which, I think, would need a VIP. Currently on the LAN and WAN interfaces have VIPs
Hope this makes sense and thanks,
-spider
-
No, in my setup for reasons of simplification, only LAN, WAN and Guest have a virtual IP. OpenVPN doesn't. Of course there will be not HA for OpenVPN, but I don't care.
-
No, in my setup for reasons of simplification, only LAN, WAN and Guest have a virtual IP. OpenVPN doesn't. Of course there will be not HA for OpenVPN, but I don't care.
Thank you, that's good to know. I also don't care if all the services are available when the master is off-line.
I'll try giving the openvpn client a VIP to see if this allows this VPN to work reliably.
-spider
-
VIPs are needed where you want a continuity of services when the primary is offline.
For the businesses I work with, we want continuity of all services during reboots, hardware failures, etc. So every interface we have also has a VIP with it.
As someone who has worked at businesses where VIPs aren't "always" used for all situations, it *really* sucks when you have a network problem, and you're troubleshooting and the lack of VIPs sometimes limit your options for troubleshooting. It also adds a lot of confusion because you're constantly trying to figure out what is broken by design (aka there isn't a VIP) and what is broken by fault.
It really "just sucks" and I'll never operate that way ever again if I have any choice at all.
Inevitably, even if you say "I don't care about VLAN 123 because nobody should be putting anything important on it" *will*, approximately 130% of the time, put the most important thing on that VLAN. Then when it goes down because you're updating opnsense or whatever, people complain about it being down. But then miraculously it just starts working a few minutes later and due to confusion between you, your end users, etc. nobody actually figures out what the problem is for months or years.
-
VIPs are needed where you want a continuity of services when the primary is offline.
For the businesses I work with, we want continuity of all services during reboots, hardware failures, etc. So every interface we have also has a VIP with it.
As someone who has worked at businesses where VIPs aren't "always" used for all situations, it *really* sucks when you have a network problem, and you're troubleshooting and the lack of VIPs sometimes limit your options for troubleshooting. It also adds a lot of confusion because you're constantly trying to figure out what is broken by design (aka there isn't a VIP) and what is broken by fault.
Many thanks for the tip, it makes a lot of sense. It's not always obvious when the backup is running as the master.
What was failing was an OpenVPN pass-through (OpenVPN server on another machine) where the connection was dropping out and coming back every couple of minutes, I guess that the packets were being routed through the master and backup firewalls.
Thanks again
-spider