Messages

Hi all,

Recently I have updated two CARP'ed firewalls from 24.1.10 release to  24.7.2 release and all seems to work ok except for dashboards. Dashboards are not sync'ed between master and backup node and this feature worked perfectly in release 24.1.10.

Is this a bug or do I need to accomplish some actions?

My IPsec tunnels are policy based ...

Uhmm ... It is very rare ...

I don't think so... In the firewall logs there is nothing, no blocking ... Running a tcpdump on the pflog0 interface of the backup firewall.

If I run a tcpdump on the LAN interface of the backup fw I see packets arriving but not returning ...

When I access both by ssh and https I do it to the real IP of the fw, never to the CARP virtual ip.

But, the result is always the same: I can not connect to backup node until I stop master node.

Many thnaks Monviech. I had thought about the same thing, but it is not very operative ...

But I can't understand why, having both firewalls configured the same, I can access one and not the other.

Another option that exists is to set up a WireGuard tunnel in each one and I think it will work but it complicates maintenance a lot ...

The thing is that I can't see what the problem is ...

Good morning,

I have configured two OPNsense firewalls in HA mode using CARP. These firewalls connect via IPsec tunnel to CheckPoint firewalls. Everything works correctly: the hosts behind the OPNsense firewalls are reachable from the hosts behind the Checkpoint firewalls and viceversa, etc.

But the problem comes when I try to manage these OPNsense firewalls from a computer behind CheckPoint firewalls. I can always access the master node but never the backup node (neither by ssh nor by webgui.). If I shut down the master node, I can access the node that was backup without any problems both via ssh and webgui.

I have enabled "Disable reply-to on WAN rules" but nothing. Analysing the traffic that arrives to the node that I cannot access, I can see how the ssh and webgui requests arrive and do so through the IPsec tunnel, but do not return.

What could be the problem with the backup node, is it a routing problem through the IPsec tunnel?

Many thanks for your help.

Good morning,

Sorry to disturb with this, but I am totally lost. I am trying to setup an OPNsense firewall in my internal networks as an internal firewall. Exists another OpenBSD firewall acting as an external firewall.

To use OPNsense as internal firewall, I have disabled "Block private networks" and "Block bogon networks" options in WAN interface. Outbound NAT is disabled also. But two things happen:

- ALL traffic is accepted on WAN. It doesn't matter what rules I configure, all traffic is accepted. Always.
- Packets traversing the WAN interface are blocked back on the LAN interface.

An example (hn0 is the LAN interface):

00:00:00.000000 rule 10/0(match): block in on hn0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.17.10.5.22 > 172.17.10.133.39016: Flags [S.], cksum 0x9de8 (correct), seq 2876699433, ack 2917434529, win 64240, options [mss 1418,nop,nop,sackOK,nop,wscale 7], length 0
00:00:01.010020 rule 10/0(match): block in on hn0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.17.10.5.22 > 172.17.10.133.39016: Flags [S.], cksum 0x9de8 (correct), seq 2876699433, ack 2917434529, win 64240, options [mss 1418,nop,nop,sackOK,nop,wscale 7], length 0
00:00:00.030043 rule 10/0(match): block in on hn0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.17.10.5.22 > 172.17.10.133.39016: Flags [S.], cksum 0x9de8 (correct), seq 2876699433, ack 2917434529, win 64240, options [mss 1418,nop,nop,sackOK,nop,wscale 7], length 0
00:00:02.018105 rule 10/0(match): block in on hn0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.17.10.5.22 > 172.17.10.133.39016: Flags [S.], cksum 0x9de8 (correct), seq 2876699433, ack 2917434529, win 64240, options [mss 1418,nop,nop,sackOK,nop,wscale 7], length 0
00:00:00.031078 rule 10/0(match): block in on hn0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    172.17.10.5.22 > 172.17.10.133.39016: Flags [S.], cksum 0x9de8 (correct), seq 2876699433, ack 2917434529, win 64240, options [mss 1418,nop,nop,sackOK,nop,wscale 7], length 0

And finally: if I disable the firewall completely with the command "pfctl -F all", everything works correctly (which makes me rule out a routing problem).

Any idea? My OPNsense firewall is release 23.1.11-amd64.

Please, any help?

Hi neilh2048,

I am trying to accomplish the same scenario but in GCP instead of AWS ... have you used load balancers? IN GCP, load balancers fail to health-check.

It could be awesome if you write some lines regarding your configruation.

Thanks

Hi all,

I have installed two OPNsense fws as a virtual machines in GCP. All it is working ok, except when I try to configure an external load balancer to use these fws in HA mode due to the impossibility to configure CARP in cloud providers.

I have configured this external load balancer to accomplish health-checks against OPNsense's web interface but always load balancer returns "timeout" and backend pools appears down (backends are OPNsense fws). I have configured rules in WAN interface to allow access from Google's health-check networks: 35.191.0.0/16,209.85.152.0/22,209.85.204.0/22 ... and nothing ... always is a timeout.

Due to this problem, I have installed an ubuntu vm with a nginx server to check my load balancer config and it works.

Arrived to this point I am completely lost ... Any ideas? What am I doing wrong?

Hi all,

I have two OPNsense firewalls with CARP configured (release 23.1.7_3-amd64). I have configured HA sync (only in MASTER node) and I've added a cronjob to sync every 5 min, but synchronization never occurs.

If I execute sync manually all works ok. Web gui is configured to listen on all interfaces.

Exists some log file where I can to debug this behaviour?

Thanks.

Good morning,

Maybe it is a stupid question, but is it possible to sync some config options (like cronjobs, aliases, etc) using High Availabilty option without using CARP interfaces?

Many thanks for your help

Thanks Franco,

Is it the only option? I would like my pf tables be consistent when fw starts ... Using curl option, pf tables will be empty until scripts run ...

Many thanks Franco ... It is working ...

Please, any help/tip on this?