OPNsense Forum
English Forums => High availability => Topic started by: rainerle on May 20, 2022, 05:16:59 pm
-
Hi,
following setup:
(https://forum.opnsense.org/index.php?action=dlattach;topic=14374.0;attach=11885;image)
- On both HA partners I have VPN IPsec activated.
- Client from the WAN interface is able to connect using IPv4 and IPv6 address of the vpn services domain name
- Client from the LAN interface is able to connect using IPv4
- Client from the LAN interface connecting using the IPv6 address is able to connect, but no network services within the VPN are available.
After looking around I saw that the LAN client is connecting to the running IPsec service on the backup firewall.
Pinging the VPN domain name from the LAN client get resolved to the IPv6 virtual IP address, but the connection to the VPN service is established to the backup firewall... :-[ :-[ :-[
-
After disabling "Router Advertisements" on the backup firewall the problem seems to be gone.
No idea, if I have a misconfiguration problem or if a HA pair should not use unmanaged radvd on the LAN.
-
This seems to be my problem:
https://github.com/radvd-project/radvd/issues/162
Maybe it should be fixed with a work around like on pfSense.
https://redmine.pfsense.org/issues/11103
-
And then I found this...
https://github.com/opnsense/core/pull/5185
-
Finally IPv6 with active/passive HA cluster works.
I created fe80::1/64 CARP Virtual IPs per interface and assigned these to the Unmanaged Router Advertisement networks.
Synced to the backup partner and after an ipconfig release/renew it just works.
IPv6 is so different to how IPv4 works on some levels. Seems I need to get a tutorial...