OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: guest15512 on January 30, 2018, 08:23:49 am

Title: Installing new 18.1 release in HA
Post by: guest15512 on January 30, 2018, 08:23:49 am

Hi all,

 I am planning a new OPNSense installation using 18.1 release in my home virtual infrastructure. My idea is to install two OPNSense virtual fws in HA. But I have several doubts about how to manage and maintain them. My questions:
 
  - When you configure two pairs of OPNSensne appliances as CARPed fws, where do you configure rules: on both nodes, on master node, on backup node?
  - Are all objects defined in GUI (like networks, hosts, services, but not initial configuration)  replicated on both nodes? Does it matter which node the configuration is performed on?
  - What configuration is replicated in both nodes: fw rules, ips rules, all, nothing?
  - What about all other services provided by OPNSense out of the box: proxy (transparent mode), SSL-VPN, IPSec, IPS? Do I need to configure every service in both nodes or only in one node?
  - Using an external PKI for OpenVPN and transparent proxy: how is it managed with OPNSense? Do I need to create a certificate for every o node or can I configure a certificate assigned to a virtual name on both nodes when firewalls are configured as a OpenVPN servers?

Many thanks

Title: Re: Installing new 18.1 release in HA
Post by: jschellevis on January 30, 2018, 09:11:37 am

Let me try to answer your questions:

 - When you configure two pairs of OPNSensne appliances as CARPed fws, where do you configure rules: on both nodes, on master node, on backup node?
> You need to configure new rules on the master node and sync them to the backup
  - Are all objects defined in GUI (like networks, hosts, services, but not initial configuration)  replicated on both nodes? Does it matter which node the configuration is performed on?
> Configure on master.
  - What configuration is replicated in both nodes: fw rules, ips rules, all, nothing?
> Take a look at the configuration page under System->High Availability->Setting and you will see everything that can be synced automatic.
  - What about all other services provided by OPNSense out of the box: proxy (transparent mode), SSL-VPN, IPSec, IPS? Do I need to configure every service in both nodes or only in one node?
> Same answer :-)
  - Using an external PKI for OpenVPN and transparent proxy: how is it managed with OPNSense? Do I need to create a certificate for every o node or can I configure a certificate assigned to a virtual name on both nodes when firewalls are configured as a OpenVPN servers?
> Not sure how this question relates. There is no HA on OpenVPN.

Anyway, I say try it and most of your questions will be answered, see also: https://docs.opnsense.org/manual/how-tos/carp.html?highlight=carp (https://docs.opnsense.org/manual/how-tos/carp.html?highlight=carp)

Cheers,

Jos