"
Thank you, I did so https://github.com/opnsense/plugins/issues/1282
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
19.1 Legacy Series / Re: OPNSense HA failover switching to backup
March 29, 2019, 09:19:16 AM
Hi guys, thank you very much for help & explanation. I'll do that.
#3
19.1 Legacy Series / Re: OPNSense HA failover switching to backup
March 28, 2019, 03:27:23 PM
Hi,
thanks for reply. Upstream switch is managed cisco and "Disable preempt" is NOT ticked on master, but IS ticked on backup node. I did that because according to help line underneath - when firewall is booted, it will switch to master and I didn't wanted this feature on backup node. Or I did I get it wrong? Should I have it unticked on both nodes?
There is also worth mention that there is one cable missing on backup node - waiting for our networkers to configure it on their switch. So maybe the situation will change if all interfaces are up.
So if I understand correctly - in this case of one cable missing on backup node, if I unplug cable from master, the master node will not fail over all interfaces, but only the one that failed. Otherwise, with all interfaces up on both nodes, if I unplug cable on master, it will failover all interfaces. Is that correct?
And what part of firewall ensures that all interfaces will failover, is it kernel? AFAIK the carp is running independent on interfaces, so one carp per interface. And on the switch side, both interfaces should see each other, ie. same vlan with no restrictions.
Thank you.
thanks for reply. Upstream switch is managed cisco and "Disable preempt" is NOT ticked on master, but IS ticked on backup node. I did that because according to help line underneath - when firewall is booted, it will switch to master and I didn't wanted this feature on backup node. Or I did I get it wrong? Should I have it unticked on both nodes?
There is also worth mention that there is one cable missing on backup node - waiting for our networkers to configure it on their switch. So maybe the situation will change if all interfaces are up.
So if I understand correctly - in this case of one cable missing on backup node, if I unplug cable from master, the master node will not fail over all interfaces, but only the one that failed. Otherwise, with all interfaces up on both nodes, if I unplug cable on master, it will failover all interfaces. Is that correct?
And what part of firewall ensures that all interfaces will failover, is it kernel? AFAIK the carp is running independent on interfaces, so one carp per interface. And on the switch side, both interfaces should see each other, ie. same vlan with no restrictions.
Thank you.
#4
19.1 Legacy Series / OPNSense HA failover switching to backup
March 28, 2019, 08:51:36 AM
Hi guys,
Let's assume this simple scenario: we have 2 firewalls in HA, each has with 4 physical cables, one is direct connection between them for pfsync. CARP seems working, and pfsync is operating.
Now, what happen if I pull out just one cable from master interface. From what I've saw, backup firewall becomes master, but only for this one interface, other interfaces are still backup. So now I have split routing. Client packets behind new master interface are traveling through backup firewall, but returning packets are going through master firewall and there are dropped because of failed interface.
Cisco ASA has failover interface-policy <percent>, which simply says, that if x percent of interfaces fails, firewalls will fail over all interfaces. Is there something similar on OPNSense?
Thank you for explanation.
Let's assume this simple scenario: we have 2 firewalls in HA, each has with 4 physical cables, one is direct connection between them for pfsync. CARP seems working, and pfsync is operating.
Now, what happen if I pull out just one cable from master interface. From what I've saw, backup firewall becomes master, but only for this one interface, other interfaces are still backup. So now I have split routing. Client packets behind new master interface are traveling through backup firewall, but returning packets are going through master firewall and there are dropped because of failed interface.
Cisco ASA has failover interface-policy <percent>, which simply says, that if x percent of interfaces fails, firewalls will fail over all interfaces. Is there something similar on OPNSense?
Thank you for explanation.
#5
19.1 Legacy Series / HAProxy custom config
March 28, 2019, 08:11:21 AM
Hi guys,
I need to have following codesnippet in /usr/local/etc/haproxy.conf in backend pool:
but throuh GUI I'm can only choose ssl instead of check-ssl as health check. This works if I do this manually in mentioned file and restart haproxy.
The problem is that this is rewritten after Apply trough GUI.
So how to do it? The only way I can see now is to edit /usr/local/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf, but not sure what it does after upgrade.
Currently I'm running 19.1.2.
Thank you for help.
I need to have following codesnippet in /usr/local/etc/haproxy.conf in backend pool:
Code Select
server kibana_E1 10.1.1.2:443 check inter 2s port 443 check-ssl verify none source 1.1.1.254
server kibana_E2 10.1.1.3:443 check inter 2s port 443 check-ssl verify none source 1.1.1.254
but throuh GUI I'm can only choose ssl instead of check-ssl as health check. This works if I do this manually in mentioned file and restart haproxy.
The problem is that this is rewritten after Apply trough GUI.
So how to do it? The only way I can see now is to edit /usr/local/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf, but not sure what it does after upgrade.
Currently I'm running 19.1.2.
Thank you for help.
#6
Web Proxy Filtering and Caching / Re: proxy custom config
April 17, 2018, 01:37:13 PM
Well, there transparent ports 3128 and 3129 for IPv4&6, like this generated by OPNsense:
# Setup transparent mode listeners on loopback interfaces
http_port 127.0.0.1:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port [::1]:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port 127.0.0.1:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port [::1]:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
Moreover I need to add this for clients who has proxy configured manually:
http_port 127.0.0.1:3127 ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port [::1]:3127 ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
Is that possible?
# Setup transparent mode listeners on loopback interfaces
http_port 127.0.0.1:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port [::1]:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port 127.0.0.1:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port [::1]:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
Moreover I need to add this for clients who has proxy configured manually:
http_port 127.0.0.1:3127 ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port [::1]:3127 ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
Is that possible?
#7
Web Proxy Filtering and Caching / proxy custom config
April 17, 2018, 09:11:23 AM
Hi guys,
I need to configure squid to have both listen for transparent and non-transparent requests. I didn't find web gui option to do this, only one of them is possible. It is possible to add http_port 3127 in /usr/local/etc/squid/squid.conf and after service squid restart it is working. However this change is overwritten after change from web gui.
How this can be done? And in general, how can I customize other things not included in web gui?
Thank you for your help.
I need to configure squid to have both listen for transparent and non-transparent requests. I didn't find web gui option to do this, only one of them is possible. It is possible to add http_port 3127 in /usr/local/etc/squid/squid.conf and after service squid restart it is working. However this change is overwritten after change from web gui.
How this can be done? And in general, how can I customize other things not included in web gui?
Thank you for your help.
Pages1
