Messages

1

20.1 Legacy Series / Re: [syslog] - Logging Target no longer displayed

« on: February 02, 2021, 03:07:15 pm »

Hello!

We have upgraded to different versions of 20.1 as well and are experiencing the same issue.
"Logging / targets" is empty, but logs are still sent to the servers which were defined in the previous versions configuration.

In the configuration XML, I can see the following:
<syslog>
    <reverse>1</reverse>
    <nentries>50</nentries>
    <remoteserver>log1site1</remoteserver>
    <remoteserver2>log1site2</remoteserver2>
    <remoteserver3/>
    <sourceip/>
    <ipproto>ipv4</ipproto>
    <filter>1</filter>
    <apinger>1</apinger>
    <system>1</system>
    <enable>1</enable>
</syslog>

How the configuration and syslog stats look like from the GUI:
https://imgur.com/a/O3ZULrP


Any suggestions on how to fix it?

2

20.1 Legacy Series / SSH Authorized keys HA synchronization

« on: June 22, 2020, 11:54:21 am »

For some reason users (ssh) authorized keys get synchronized to the backup node only when we manually do the "Synchronize config to backup". Is this intended behaviour?

Would expect OPNsense to automatically synchronize it to backup node when saving configuration after adding the key to a user.

3

General Discussion / Re: High Availability

« on: November 18, 2018, 10:59:47 pm »

Firewall : Settings : Advanced, can you check if you have something with kill states enabled?
Firewall : Diagnostics : States Dump: Open on both machines an check if the states are equal.

Kill states    "Disable State Killing on Gateway Failure" is ticked.

States are not equal tho.
But I do see constant pfsync traffic from Master to Backup from both sides! And the increase of packets picks up speed a lot when I download a big file!
Which should imply that the states are actually sent from Master to Backup.
10.0.0.1 is Master and 10.0.0.2 is backup.

It could be, that since it's not a standard protocol, VirtualBox might have problems with forwarding it correctly?

Changed Promiscuous Mode on the HA interface from "Allow All" to "Allow VMs" and the sessions were transferred. Only to encounter a new issue.

Seems like packets are sent twice or more times from OPNsense towards the client after the Master joins back the cluster. And this applies only for the sessions that were transferred. New sessions work fine.

4

General Discussion / Re: High Availability

« on: November 18, 2018, 09:32:45 pm »

Firewall : Settings : Advanced, can you check if you have something with kill states enabled?
Firewall : Diagnostics : States Dump: Open on both machines an check if the states are equal.

Kill states    "Disable State Killing on Gateway Failure" is ticked.

States are not equal tho.
But I do see constant pfsync traffic from Master to Backup from both sides! And the increase of packets picks up speed a lot when I download a big file!
Which should imply that the states are actually sent from Master to Backup.
10.0.0.1 is Master and 10.0.0.2 is backup.

It could be, that since it's not a standard protocol, VirtualBox might have problems with forwarding it correctly?

5

General Discussion / Re: High Availability

« on: November 18, 2018, 06:37:02 pm »

Firewall in HA is everything allowed? Do you see something blocked?

Yes. Anything and everything allowed on HA.

6

General Discussion / Re: High Availability

« on: November 18, 2018, 05:13:43 pm »

Screenshot of your HA settings please
Normally this should work.

HA is working correctly when I disconnect the cables, but the sessions are not transferred.
Settings on the master. All settings possible are synced with the backup.

7

General Discussion / High Availability (on VirtualBox)

« on: November 18, 2018, 04:22:20 pm »

Hello!

First of all my humble thank you to everyone who has put in their time for this project. It's amazing! <3

I've been fiddling around with OPNsense for the last couple of days. My experience so far has been with enterprise firewalls (Cisco & Fortigate mostly), but I'm considering using OPNsense for a side-project.

My main worry is seamless HA, so I labbed it up on VirtualBox with 2x OPNsense and a client host.
When I finally got everything working (had to enable Promiscuous mode in VirtualBox for CARP), I first tested what happens when I shut down or reboot the Master of the cluster.

I found that the sessions will not be transferred and I will lose quite a bunch of pings into a black hole (just guessing, but probably because the master is not telling the backup, that it's no longer routing the packets, until CARP detects it when the master has finally shut down).

Secondly I tested what happens when I just disconnect the ethernet cables from the master, while there's a download going and ping running. I did not lose any pings (nice!), but the session was still not transferred to the backup OPNsense.

I documented these tests into a video, which can be found here
It's a too long video, but I only discovered in the 2nd part of the video, that I could see what was happening with the sessions with the pfTop feature. Anyways you can see everything in the first minutes.

Do you know if the sessions not being transferred to the other member of the cluster is working as intended or is there something wrong with my setup or it's a bug?