Messages

Hi there,

Same issue for me, fixed with the hotfix.
Thanks a lot for the quick reaction!👌

PS: Live view was also broken and fix solved it too.

It's not my prerogative to consider or not consider change requests - I am just an OPNsense user and Deciso customer like most people on this forum.

Oups, but the more we are, the chances are greater! 😊

I did open a feature request in the meantime (not really a bug IMHO)

I agree. The wording could be more helpful. Would you open an issue on Github about that?

Sure I will, thanks for considering it! 👌

[system: migrate HA status page to MVC/API]

I indeed read system: migrate HA status page to MVC/API in the release notes, but it didn't really made me understand what it means.

So if it is the Synchronize and reconfigure all, it is not clear at all, because if you put your mouse on the button, it is displaying "Restart all services"... 😁
There is also the link Perform synchronization, in the HA settings area, right behind Configuration Synchronization Settings (XMLRPC Sync), but also not very clear.

None of them is giving you a clear status/result anyway so any chance to change the way we get a confirmation that everything is running smoothly?

PS: I'd love to hear from dev team to understand the change, there is probably a good reason.

Hi there,

I might be mistaken by a change, but I can't find the small "synchronize to backup" button for HA settings in the new 25.1 UI.

And therefore, also missing the small status when you press on it!

Is it missing or is it moved somewhere else? Thx in advance!

Thanks a lot for the fix!

I thought I was going crazy this morning when I got no Internet anymore... :)

Have you ever found a solution to this? I am stuck in the same problem. The detection that an IPSEC tunnel is actually down (despite DPD etc.) takes forever.

I didn't bother too much, I switched to Wireguard tunnel.
It's from my homelab to my parents for DR backups so, it just need to work!
It also increased drastically speed, so it was a win. :)

Actually I've PPPoE active with a single dhcp IP. So this is the problem.
I will try to migrarte the WAN interface behind the router with private CARP IPs

No problem, hope you can sort it out! ;)

CARP need a single IP per interface on each FW in order to be able to create a VIP.
Here you can have an overview:
https://docs.opnsense.org/manual/how-tos/carp.html

You Wireguard tunnel will be based on VIP 172.18.0.100 in this example.

I've a HA pair with PPPoE.

I can't understand the sepcificity of PPPoE pon HA setup, but one of the "obvious" thing to configure is the VIP for Wireguard tunnel.
Setting name is:  Depend on (CARP)

In my setup, each Firewall has a dedicateed IP on the Internet router "LAN" which in my case is used as a transfer network only. Don't know if it is possible with PPPoE ;)

I have another cluster where Wireguard works perfectly through an HA failure.

Well it's done, I have my HA setup properly working with Wireguard.
Thanks again for the feedback ;)

I have another cluster where Wireguard works perfectly through an HA failure.

That is a very good news! Thanks for the quick feedback... now I know what to do this afternnon! ;D

Hi,

Did you figure it out?
I just installed an OPNsense cluster and I'd like to switch from IPSEC legacy tunnel to Wireguard tunnel.

Thanks ;)

[fairly new to HA]

Hi there,

I set up a new HA cluster for my home infra and so far, migration has been great, everything seems to be working as expected. HA works when I switch CARP manually or if I shutdown/restart the master.

Everything... except my IPSEC VPN tunnel that doesn't switch over. :(

My Phase 1 is configured to the WAN CARP IP and I also tried to disable MOBIKE as mentioned here https://forum.opnsense.org/index.php?topic=19244.0
pfsync interface is a dedicated cable and there is a rule that allows everything between both FWs.

As I'm fairly new to HA, I don't know what to expect here but I tried to switchover/restart the master and also tried to shut it down for 10 minutes but this didn't help, IPSEC tunnel is only coming back after master is up again.

IPSEC tunnel is still in the legacy mode, I don't know if switching to the newer version would help.

Where can I start looking? Thanks in advance ;)

K.R
Franck

I know this is marked solved but its the first post that comes up. After two days of messing with HA, spinning up new VMs, I figured out the problem was due to ACME client and port redirection from the master. All I had to do was click the (i) and it was pretty obvious. Ensure if you have changed the web admin port you specify the entire URI under the System->High Availability->Settings> Synchronize Config to ip.  IE https://192.168.0.2:8443. They synchronize Peer IP remains just an IP. I hope this save someone time. The is the only thing left out of the official documentation.

Remember HA is using web API to configure everything.

Thanks a lot, this helped me too to solve this "rule disapearing issue"... :)

Hi there,

I made a recent design change to allow the possibility to patch my network switches without interruption.
(https://forum.opnsense.org/index.php?topic=32211.msg155680#msg155680)

So my physical firewall has 2 NICs configured in failover mode in a LAGG, spread on 2 physical switches. So is my Internet router (yeah double NAT is not ideal, but I have no choice with my provider)
All the interfaces work is done via VLANs & different interfaces.

RTSTP is activated on switches so the 2nd link of the router is disabled if the switch number 1 is online.

If I power off or update the switch 1, Internet and all the other things continue to work "as expected", except my IPSEC tunnel to another failover site. When the switch come back online, it doesn't reconnect it.

I've tried to restart the IPSEC service, nothing will work unless I restart the firewall. Restarting the firewall or service on remote site doesn't help.

Any idea what could be the issue and how to solve this?

Thanks in advance for your help ;)