"
The ticket HA & monit helps me.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#3
High availability / Inscrutable reboot of Monit.
July 15, 2024, 04:42:29 PM
In an HA configuration, I receive a notification every day from the backup firewall that the Monit service is stopped and started again. The stop is at 01:05:09 and the start is at 01:05:10. I can't find anything in the logs that indicates this restart.
Does anyone have any advice?
Does anyone have any advice?
#4
High availability / What means "same hardware" for HA
April 27, 2024, 04:22:44 PM
For an HA configuration, the exact same hardware is required, as is said time and again. What exactly does that mean?
Do the boxes have to be exactly the same, or is it only important that the order of the interfaces is correct?
LAN = LAN
WAN = WAN
OPT1 = OPT1
OPT2 = OPT2
What does this mean for virtual machines? For example, if one is running on VMware ESXi and the other on KVM/QEMU? Does this work or not, because it is not the same "hardware"?
Or if e1000 is used as the interface in one VM under VMware ESXi and VMXNET3 in the other?
Do the boxes have to be exactly the same, or is it only important that the order of the interfaces is correct?
LAN = LAN
WAN = WAN
OPT1 = OPT1
OPT2 = OPT2
What does this mean for virtual machines? For example, if one is running on VMware ESXi and the other on KVM/QEMU? Does this work or not, because it is not the same "hardware"?
Or if e1000 is used as the interface in one VM under VMware ESXi and VMXNET3 in the other?
#5
General Discussion / Re: How to find my older posts?
April 22, 2024, 10:20:26 AM
Thank you. But I can only search show unread posts since last visit. I want to search all my posts. If I use the advanced search I have to give a search term. But I want to see all my posts, at least the last ten.
#6
High availability / Re: HA CARP VIP question
April 22, 2024, 10:03:07 AM
I find the solution for VMware ESXi: I had to enable the promiscuous mode for all the interfaces. For this I created port groups to use only for the VM's with OPNsense.
#7
High availability / Re: Public virtual address not working
April 22, 2024, 09:50:48 AM
I find the solution for VMware ESXi: I had to enable the promiscuous mode for all the interfaces. For this I created port groups to use only for the VM's with OPNsense.
#8
High availability / Re: CARP WAN VIP not reachable
April 22, 2024, 09:08:59 AM
I find the solution for VMware ESXi: I had to enable the promiscuous mode for all the interfaces. For this I created port groups to use only for the VM's with OPNsense.
#9
General Discussion / How to find my older posts?
April 09, 2024, 04:22:35 PM
How do I find my previous posts or their answers? Or posts I've written in other people's posts? I can't remember the titles or exact wording. I can't search for my username.
#10
High availability / Public virtual address not working
April 09, 2024, 04:11:13 PM
When setting up the HA cluster, I followed the manual: https://docs.opnsense.org/manual/how-tos/carp.html, but I have a small problem that prevents me from putting the cluster into operation.
I cannot reach the public virtual address. However, if I have a VPN active for the IP address of one of the two devices, I can reach the virtual address of the LAN interface. When I am on site in the internal network, I can reach both the virtual address from the LAN and the one with the public IP address.
By reach I mean, on the one hand, pinging and, on the other hand, logging into the system via SSH.
I don't have any physical devices, both OPNsense's are implemented as VMs under VMware ESXi. The security settings MAC address changes and Forged transmits are allowed on the vSwitch.
What did I forget to configure?
I cannot reach the public virtual address. However, if I have a VPN active for the IP address of one of the two devices, I can reach the virtual address of the LAN interface. When I am on site in the internal network, I can reach both the virtual address from the LAN and the one with the public IP address.
By reach I mean, on the one hand, pinging and, on the other hand, logging into the system via SSH.
I don't have any physical devices, both OPNsense's are implemented as VMs under VMware ESXi. The security settings MAC address changes and Forged transmits are allowed on the vSwitch.
What did I forget to configure?
#11
Virtual private networks / Re: Two OPNvpn boxes to access the same LAN at an emergency
December 15, 2023, 04:35:24 PM
I have MAC address changes enabled and Forged transmits, but not Promiscuous mode. I observed traffic to 224.0.0.18.
So I'll activate promiscuous mode and test it again. Unfortunately I won't be able to try this out until the next maintenance window.
So I'll activate promiscuous mode and test it again. Unfortunately I won't be able to try this out until the next maintenance window.
#12
High availability / Re: HA CARP VIP question
December 15, 2023, 04:23:24 PM
Even though I have HA active, the CARP interfaces still don't work. Neither for the LAN interface nor for the WAN interface.
#13
Virtual private networks / Re: Two OPNvpn boxes to access the same LAN at an emergency
December 11, 2023, 03:46:13 PMQuote from: Monviech on December 06, 2023, 04:23:02 PM
Turning the old firewall off won't be seamless. You have to have a downtime window where you can turn the old firewall off, and give its IP addresses as CARP VIPs to the new firewalls. That way, all clients can reach the former IP Addresses on the new Firewalls and everything continues to work. And then you have to configure those CARP VIPs to provide all of the former services that were reachable on the old Firewall. You can have as many CARP VIPs as you want, they all just need to be in seperate VHID groups. So just add them additionally to your already existing ones.
Also make sure the CARP VIPs always have the same subnet as their parent interface. The CARP VIPs have to be /24 if the parent interface is also /24. Don't use /32 ones.
Everything worked without any problems, but unfortunately no traffic is accepted at the VIPs. The VIP's are configured correctly as far as I can see. I've read through all of them three or four times and can't find a mistake.
These are not physical machines, but virtual ones under VMware ESXi.
So I now have two OPNsense boxes, I can switch manually by setting the IP addresses of all interfaces accordingly, but unfortunately I don't have an automatic failover.
#14
High availability / Re: CARP WAN VIP not reachable
December 11, 2023, 03:39:13 PM
I have no such attitude. I can only choose SR-IOV passthrough as the network interface, but I chose E1000.
#15
High availability / Question about CARP configuration
December 11, 2023, 11:25:09 AM
Here https://docs.opnsense.org/manual/how-tos/carp.html#setup-interfaces-basic-firewall-rules are some text that I don't understand:
Because we're connecting both firewalls using a direct cable connection, we will add a single rule to accept all traffic on all protocols for that specific interface. Another option is to only accept traffic to the GUI port and pfSync protocol.
What does this "single rule" refer to? In this case, is there no need for a rule on the WAN and LAN, but just this one? However, it's not clear to me what this one should look like.
Does the LAN interface even need a rule that allows CARP? By default it already has one that allows all traffic into the LAN.
Please explain in more detail what these rules should be.
Because we're connecting both firewalls using a direct cable connection, we will add a single rule to accept all traffic on all protocols for that specific interface. Another option is to only accept traffic to the GUI port and pfSync protocol.
What does this "single rule" refer to? In this case, is there no need for a rule on the WAN and LAN, but just this one? However, it's not clear to me what this one should look like.
Does the LAN interface even need a rule that allows CARP? By default it already has one that allows all traffic into the LAN.
Please explain in more detail what these rules should be.
