Messages

1

High availability / Re: Help with HA cluster and IPSEC tunnel

« on: October 01, 2024, 05:55:26 pm »

Have you ever found a solution to this? I am stuck in the same problem. The detection that an IPSEC tunnel is actually down (despite DPD etc.) takes forever.

I didn't bother too much, I switched to Wireguard tunnel.
It's from my homelab to my parents for DR backups so, it just need to work!
It also increased drastically speed, so it was a win.

2

High availability / Re: Wireguard VPN no traffic on OpnSense HA Cluster in CARP backup state

« on: July 17, 2024, 07:51:46 am »

Actually I've PPPoE active with a single dhcp IP. So this is the problem.
I will try to migrarte the WAN interface behind the router with private CARP IPs

No problem, hope you can sort it out!

CARP need a single IP per interface on each FW in order to be able to create a VIP.
Here you can have an overview:
https://docs.opnsense.org/manual/how-tos/carp.html

You Wireguard tunnel will be based on VIP 172.18.0.100 in this example.

3

High availability / Re: Wireguard VPN no traffic on OpnSense HA Cluster in CARP backup state

« on: July 16, 2024, 03:43:22 pm »

I've a HA pair with PPPoE.

I can't understand the sepcificity of PPPoE pon HA setup, but one of the "obvious" thing to configure is the VIP for Wireguard tunnel.
Setting name is:  Depend on (CARP)

In my setup, each Firewall has a dedicateed IP on the Internet router "LAN" which in my case is used as a transfer network only. Don't know if it is possible with PPPoE

4

High availability / Re: Wireguard VPN no traffic on OpnSense HA Cluster in CARP backup state

« on: June 17, 2024, 10:06:27 pm »

I have another cluster where Wireguard works perfectly through an HA failure.

Well it's done, I have my HA setup properly working with Wireguard.
Thanks again for the feedback

5

High availability / Re: Wireguard VPN no traffic on OpnSense HA Cluster in CARP backup state

« on: May 29, 2024, 11:05:38 am »

I have another cluster where Wireguard works perfectly through an HA failure.

That is a very good news! Thanks for the quick feedback... now I know what to do this afternnon!

6

High availability / Re: Wireguard VPN no traffic on OpnSense HA Cluster in CARP backup state

« on: May 29, 2024, 10:55:07 am »

Hi,

Did you figure it out?
I just installed an OPNsense cluster and I'd like to switch from IPSEC legacy tunnel to Wireguard tunnel.

Thanks

7

High availability / Help with HA cluster and IPSEC tunnel

« on: May 24, 2024, 01:31:46 pm »

Hi there,

I set up a new HA cluster for my home infra and so far, migration has been great, everything seems to be working as expected. HA works when I switch CARP manually or if I shutdown/restart the master.

Everything... except my IPSEC VPN tunnel that doesn't switch over.

My Phase 1 is configured to the WAN CARP IP and I also tried to disable MOBIKE as mentioned here https://forum.opnsense.org/index.php?topic=19244.0
pfsync interface is a dedicated cable and there is a rule that allows everything between both FWs.

As I'm fairly new to HA, I don't know what to expect here but I tried to switchover/restart the master and also tried to shut it down for 10 minutes but this didn't help, IPSEC tunnel is only coming back after master is up again.

IPSEC tunnel is still in the legacy mode, I don't know if switching to the newer version would help.

Where can I start looking? Thanks in advance

K.R
Franck

8

High availability / Re: [SOLVED] Problem Loading High Availability Status Page

« on: May 24, 2024, 01:16:20 pm »

I know this is marked solved but its the first post that comes up. After two days of messing with HA, spinning up new VMs, I figured out the problem was due to ACME client and port redirection from the master. All I had to do was click the (i) and it was pretty obvious. Ensure if you have changed the web admin port you specify the entire URI under the System->High Availability->Settings> Synchronize Config to ip.  IE https://192.168.0.2:8443. They synchronize Peer IP remains just an IP. I hope this save someone time. The is the only thing left out of the official documentation.

Remember HA is using web API to configure everything.

Thanks a lot, this helped me too to solve this "rule disapearing issue"...

9

23.1 Legacy Series / IPSEc tunnel not reconnecting after switch maintenance

« on: March 01, 2023, 09:54:39 am »

Hi there,

I made a recent design change to allow the possibility to patch my network switches without interruption.
(https://forum.opnsense.org/index.php?topic=32211.msg155680#msg155680)

So my physical firewall has 2 NICs configured in failover mode in a LAGG, spread on 2 physical switches. So is my Internet router (yeah double NAT is not ideal, but I have no choice with my provider)
All the interfaces work is done via VLANs & different interfaces.

RTSTP is activated on switches so the 2nd link of the router is disabled if the switch number 1 is online.

If I power off or update the switch 1, Internet and all the other things continue to work "as expected", except my IPSEC tunnel to another failover site. When the switch come back online, it doesn't reconnect it.

I've tried to restart the IPSEC service, nothing will work unless I restart the firewall. Restarting the firewall or service on remote site doesn't help.

Any idea what could be the issue and how to solve this?

Thanks in advance for your help

10

General Discussion / Re: LAGG redesign question

« on: January 31, 2023, 01:46:45 pm »

@pmhausen thanks a lot, I think this answers my questions!

11

General Discussion / Re: LAGG redesign question

« on: January 31, 2023, 01:06:14 pm »

Failover is the only setting that might work.

Would you know what would mean "If the master port becomes unavailable, the next active port is used."?

Depends really on how the unavailability is defined. The physical connectivity might always be on in case of switch reboot and traffic interrupted anyway

But I guess I'll to try no?

12

General Discussion / LAGG redesign question

« on: January 31, 2023, 11:31:14 am »

Hi there,

I've a question concerning my firewall NIC/LAGG design.

Up to now, I had a single switch (Ubiquiti) and I had 2 physical NICs configured in LACP on my OPNsense firewall. All interfaces were managed by different VLANs (including WAN connectivity)

But to ease the whole firmware patch management and offer redundancy on several systems, I bought a second switch.

Now, as Ubiquiti doesn't offer LACP on several physical switches, I'm wondering what is the best LAGG type I should now configure to have redundancy/a bit of load balancing between both links: would you choose failover, loadbalance or round robin?

My first reflex would be to go to loadbalance, but maybe there is a few things to consider before. Maybe a LAGG is not the best option at all.

Thanks in advance for your advices!

PS: If required/better, I could add 2 physical NICs in the server (but from the load, it is not necessary at all)

13

21.1 Legacy Series / Re: syslog on WAN with Public IP not sending into IPSec even with NAT

« on: December 31, 2021, 08:33:42 am »

I have started working on it ...

Lovely to hear that too, I just started to implement Wazuh in my lab and was figuring out why one of my FW was not able to send logs back to the server

14

Hardware and Performance / Re: VM to hardware migration and performance optimization

« on: April 30, 2021, 04:11:09 pm »

At the console check that both of these return '1':

Code: [Select]

sysctl hw.pci.enable_msi
sysctl hw.pci.enable_msix
Are you getting a faster internet connection in addition to the 10gbit NICs? Otherwise I'm not sure there would be much realized benefit here unless the ISP over-provisions beyond 1gbit?

I get 1 for both commands, so nothing more on that level. I have no plan to update CPU, but I'll have a look.

For the 10 GB/s, as I've several zones and one in particular is the multimedia that communicate with my Plex server on another zone, it might be good to have something "strong". Even if I go 4k in the future, 1GB/s will not saturate them but the 10 GB/s are also an Inteal NIC, which should be able to offload some things.

But I need to purchase 2 extra Twinax cables first!

For the future, I also plan to put a proxy so kids can have filtered Internet, nut I'll try that in a VM lab first to see how it works and if I can integrate it with AD auth.

15

French - Français / Re: Hardware pour WAN fibre avec streaming

« on: April 21, 2021, 11:52:17 am »

Bonjour,

Quel est le problème avec le fait d'utiliser des processeurs de 2013-2014 ?
Un i5 de cette période ferait largement l'affaire dans ton cas.

Un processeur plus récent, donc plus puissant, et fanless, c'est compliqué.

Je le rejoins un petit peu : on sous-estime souvent les besoins hardware pour profiter pleinement de sa ligne.

Moi perso, j'ai du migrer d'une VM qui tournait sur un Core i7-6800K avec 2 cœurs à un serveur physique dédié (Core i5-4570) pour avoir une vitesse à 500Mb/s sur une ligne d'1 Gb/s, avec la latence induite (CPU et disque surtout) de la virtualisation, ça ne décollait pas.

Et je n'y croyais pas avant d'avoir remarqué que ma VM était plus rapide sur le processeur le plus rapide (j'ai plusieurs hosts de générations différentes)

Mais après, ça dépend aussi de tes besoins concernant le firewall (vitesse, fonctionnalités).
C'est quoi ton projet ?