Messages

1

High availability / Re: Master/Backup status for WAN and LAN interfaces simultaneously

« on: July 25, 2023, 09:42:14 pm »

Thank you Monviech for reply.

I think yes, I have firewall rules set correctly. CARP protocol is allowed on all interfaces with VIP by Automatically generated rules. I think it should be OK.

2

High availability / Master/Backup status for WAN and LAN interfaces simultaneously

« on: July 24, 2023, 09:20:27 pm »

Hello,

We have installed two OPNsense nodes (in virtual environment with Proxmox). On both firewalls are configured two virtual IPs - one for WAN interface and one for LAN interface.

We have sometimes found unexpected behavior when first OPNsense node has MASTER for WAN and BACKUP for LAN interface and second OPNsense node has BACKUP for WAN and MASTER for LAN interface.

We dont know why firewalls are getting into this broken state.

I think this behavior should be controlled via: System: High Availability: Settings: Disable preempt. We have this checkboxes UNCHECKED on both firewalls. I read documentation and I did some searching on the internet and I am thinking when this option is unchecked, firewalls are switch all other interfaces when one fails. So I thing this settings is correct.

The virtual IPs are configured this way:
First OPNsense

Code: [Select]

172.20.0.254/22 101 (freq. 1/0) LAN CARP LAN-GW  
178.238.37.27/26 100 (freq. 1/0) WAN CARP WAN-CARP
Second OPNsense

Code: [Select]

172.20.0.254/22 101 (freq. 1/100) LAN CARP LAN-GW  
178.238.37.27/26 100 (freq. 1/100) WAN CARP WAN-CARP
By the way, we have turn off MAC filter on Proxmox firewall.

Could please anyone help me solve this problem?

Thank you!
Regards Tomas