OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: dragon2611 on October 19, 2017, 10:41:36 pm

Title: Secondary FIrewall
Post by: dragon2611 on October 19, 2017, 10:41:36 pm

Does it cause any issues if the Primary firewall in a HA pair was physical and the secondary was a VM?

Nothing of much importance behind them, just doing Nat for my lab/playground/personal servers environment

Title: Re: Secondary FIrewall
Post by: franco on October 20, 2017, 08:34:30 am

Works fine. Just make sure the "smaller" firewall can handle the peak of your traffic in case it needs to take over.


Cheers,
Framco

Title: Re: Secondary FIrewall
Post by: xupetas on October 20, 2017, 10:44:02 am

Works beautifully. I recomend (and i think that the documentation recomends it too) that you have a dedicated interface for CARP.
Another recomendations include, using e1000 virtual cards on the interfaces that you will be using IDS with IPS active (suricata) because the virtio cards have an improper implementation / bug of netmap.
Finally (and i dont know if this a bug on the config or my very wierd configuration type) but on the CARP interfaces, you WILL HAVE TO set rules so the config sync mecanism and the CARP mecanism work.
Again i dont know if this should be done automaticly by opnsense, or if something is screwed on my config.

Title: Re: Secondary FIrewall
Post by: dragon2611 on October 21, 2017, 12:57:47 pm

Do you have to install packages you want to config sync on the second firewall or is it smart enough to do that automatically if you try to config sync an optional package.

Title: Re: Secondary FIrewall
Post by: franco on October 22, 2017, 11:58:24 am

We don't want to rely on automatic package installation. There is still a ticket open to be able to register installed packages in the config.xml for such duties... at least to provide a reinstall button and/or a warning that not all plugins are properly installed.


Cheers,
Franco