Messages

tl;dr: How do you setup CARP where each router has its own modem, but under normal operation the modems are setup for load balancing.

Background: At my work data center, I configured CARP with two routers sharing a fixed /29 WAN block. It works great.

At home, I currently have a single router with dual WAN. My residential WAN providers use DHCP (cable) and PPPoE (DSL). Currently I use two gateway groups: one with cable in Tier 1 and DSL in Tier 2, the other gateway group with the Tiers reversed. Then I have firewall rules that pick the gateway group based on the traffic type, so that I can prioritize traffic on the different gateways.

Now I want to add a second opnsense router for high availability at home. Unless I'm missing something, I see no good way for me to setup CARP VIP for the WAN. What I'd like to do is connect each modem to a single router and setup a CARP VIP only for the LAN. And to handle the load balancing and WAN failover, I would setup opnsense2 as a second gateway for opnsense1, and vice versa, perhaps using a dedicated interface/LAN. Any further suggestions would be appreciated.

Nevermind. Side-effect of an unrelated change on my LAN. Everything is fine now.

I have some firewall aliases that depend on LAN name resolution, ex: "servers" could be a firewall host alias pointing to server1.mydomain.com and server2.mydomain.com. unbound is resolving these correctly: on a LAN computer, the command

host server1.mydomain.com

returns something like: "server1.mydomain.com has address 192.168.16.250".

Unfortunately, if I ssh onto the opnsense device itself, it's unable to resolve this: host server1.mydomain.com and dig server1.mydomain.com both hang. However, dig @localhost server1.mydomain.com returns the correct values on the opnsense device. So it looks like a DNS config issue on opnsense.

This is a regression in 23.1: this configuration worked fine in 22.7 and earlier. Any advice is appreciated.