OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: guest15512 on January 30, 2018, 08:23:49 am
-
Hi all,
I am planning a new OPNSense installation using 18.1 release in my home virtual infrastructure. My idea is to install two OPNSense virtual fws in HA. But I have several doubts about how to manage and maintain them. My questions:
- When you configure two pairs of OPNSensne appliances as CARPed fws, where do you configure rules: on both nodes, on master node, on backup node?
- Are all objects defined in GUI (like networks, hosts, services, but not initial configuration) replicated on both nodes? Does it matter which node the configuration is performed on?
- What configuration is replicated in both nodes: fw rules, ips rules, all, nothing?
- What about all other services provided by OPNSense out of the box: proxy (transparent mode), SSL-VPN, IPSec, IPS? Do I need to configure every service in both nodes or only in one node?
- Using an external PKI for OpenVPN and transparent proxy: how is it managed with OPNSense? Do I need to create a certificate for every o node or can I configure a certificate assigned to a virtual name on both nodes when firewalls are configured as a OpenVPN servers?
Many thanks
-
Let me try to answer your questions:
- When you configure two pairs of OPNSensne appliances as CARPed fws, where do you configure rules: on both nodes, on master node, on backup node?
> You need to configure new rules on the master node and sync them to the backup
- Are all objects defined in GUI (like networks, hosts, services, but not initial configuration) replicated on both nodes? Does it matter which node the configuration is performed on?
> Configure on master.
- What configuration is replicated in both nodes: fw rules, ips rules, all, nothing?
> Take a look at the configuration page under System->High Availability->Setting and you will see everything that can be synced automatic.
- What about all other services provided by OPNSense out of the box: proxy (transparent mode), SSL-VPN, IPSec, IPS? Do I need to configure every service in both nodes or only in one node?
> Same answer :-)
- Using an external PKI for OpenVPN and transparent proxy: how is it managed with OPNSense? Do I need to create a certificate for every o node or can I configure a certificate assigned to a virtual name on both nodes when firewalls are configured as a OpenVPN servers?
> Not sure how this question relates. There is no HA on OpenVPN.
Anyway, I say try it and most of your questions will be answered, see also: https://docs.opnsense.org/manual/how-tos/carp.html?highlight=carp (https://docs.opnsense.org/manual/how-tos/carp.html?highlight=carp)
Cheers,
Jos