Messages

Hi,

as far as I see there are only two prerequisites:
a) correct carp setup (e.g. "Ensure one machine's advskew<20 (and the other is >20)")
b) definition of Failover peer IP on each dhcp node

my setup is running fine, maybe this link is useful for you, too: https://www.thomas-krenn.com/en/wiki/OPNsense_HA_Cluster_configuration (also note the order of the steps in regards of dhcp...)

BR
Berndt

Hi em.tie,

It took a while for me to set up a ha cluster with automatic failover in regards of wireguard, too...

fw rule and nat rule is correct, you should use your wan carp ip
I guess the following is missing on your setup:

change the wireguard implementation from go to kmod:
ssh into the shell:

Code Select Expand

pkg install wireguard-kmod
after a reboot it will be used instead of wireguard-go. "The wireguard-go service will show as stopped since the go implementation isn't being used, due to the kernel module, OPNsense will fix this in a later release."

you can sync wireguard settings via ha and wireguard seems to be fine running/enabled on both (!) nodes with the same (!) tunnel address.
When one node goes down carp ip will be switched and after a few (...) seconds the wireguard tunnels terminate on the new node.
Prerequisite is really a perfectly running carp setup, for example my isp modem blocks carp multicasts by default, so in my case my provider had to activate this to get things running.

BR
Berndt