Show Posts
1
High availability / How to setup different VPNs on master/backup with Sync enabled?
« on: April 29, 2024, 01:45:49 pm »
Hello,
I've the following situation:
* two firewalls
* in total one incoming wireguard VPN endpoint that is bound to carp
* one outgoing wireguard VPN *per* device that should always be up, if the machine is running
The problem is that with HA sync, by default all wireguard VPNs are up on the primary machine:
- fw1: incoming, outgoing1, outgoing2
- fw2: -
I then thought, ok I can try to have ONE carp address on fw2 that is the MASTER by default instead of fw1. However, it seems that the HA-Sync always modifies the advskew so that the secondary firewall is slower. Even setting it to 254 on the master only sets it to 254 on the backup.
Then I thought maybe I can create a binding to an IP alias on each machine, however wireguard does not support that.
In the end, what I want to have is:
- fw1: outgoing1
- fw2: outgoing2
- active/master/primary fw: incoming
How do I achieve this with opnsense?
I've the following situation:
* two firewalls
* in total one incoming wireguard VPN endpoint that is bound to carp
* one outgoing wireguard VPN *per* device that should always be up, if the machine is running
The problem is that with HA sync, by default all wireguard VPNs are up on the primary machine:
- fw1: incoming, outgoing1, outgoing2
- fw2: -
I then thought, ok I can try to have ONE carp address on fw2 that is the MASTER by default instead of fw1. However, it seems that the HA-Sync always modifies the advskew so that the secondary firewall is slower. Even setting it to 254 on the master only sets it to 254 on the backup.
Then I thought maybe I can create a binding to an IP alias on each machine, however wireguard does not support that.
In the end, what I want to have is:
- fw1: outgoing1
- fw2: outgoing2
- active/master/primary fw: incoming
How do I achieve this with opnsense?