Messages

1. Why are you setting a monitor IP?
2. Your NAT rule tries to NAT all outbound traffic including everything from the firewall itself.

Change the NAT rule from

Source: *

to

Source: an alias that sums up all your internal networks

HTH,
Patrick

It works! Thank you so much Patrick, you made my day!

Yes, I have a x.x.x.x/29 public subnet, both firewalls have a fixed public IP on their corresponding WAN interfaces, then there is a WAN Virtual IP configured.

I linked some screenshots about it:

https://postimg.cc/gallery/NBbgBNf

I really don't know what to check, I'm struggling here.

Patrick, could you tell me how do you make both gateway working and online on your setups?

I followed this guide to configure CARP and HA:

https://docs.opnsense.org/manual/how-tos/carp.html#
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-ha-on-opnsense

But all the times I create an HA cluster, in the end I have primary node (master) with online and working gateway and secondary node (slave) with offline and not working gateway.

Thank you very much! This info is crucial, I'll try to investigate and fix it, thanks again Patrick.

Thanks Patrick, I have already read the manual section about carp upgrade. For me, it isn't very clear, let's take the first step:

Update your secondary unit and wait until it is online again

How can I update the secondary unit, if it has a gateway which is marked as "offline"?
Currently I have the primary node which is the master, everything is running nice and smoothly, but secondary unit gateway is marked as "offline" and upgrade from GUI or CLI isn't working, so I can't follow those steps to upgrade remotely.

Any hint?

Hello, is there a way to upgrade an OPNSense HA cluster remotely? I haven't find much for this topic in the forum

Hello there!

I have a working HA cluster and I was always able to upgrade both nodes successfully.

Now, I would like to provide to a customer a HA setup, the problem is that it has its office on another town, very far from where I am.

Obviously I'll need to go there at least one time to configure both firewalls for the first time and setting up CARP and HA, but, how can I upgrade the HA cluster remotely? Due to the fact that I don't want to go there each time I need to upgrade to a newer OPNSense version.

Right now, to upgrade my firewalls I need to temporarly disable CARP on the secondary node (slave) and forcing a new WAN gateway (which is my Linux laptop with a wireless adapter connected to my smartphone hotspot, then bridged with a wired adapter where OPNSense WAN is connected to) in order to let the secondary node exits to Internet; then after the upgrade of the secondary, I renable CARP on the it and I perform a failover from the primary node (master) in order to let the secondary node (which I just upgraded) become the master, thus upgrade the new primary node (which previously was the master).

So, I have some questions:

1) Generally speaking, is this the correct way to upgrade both nodes of a HA cluster?
2) How can I upgrade a cluster remotely?
3) How can I install a new plugin on both primary and secondary nodes without causing downtimes?

In the docs, I see this steps, but I don't know how these are gonna work if the secondary node is basically offline (can't reach Internet thus can't reach OPNsense repos to upgrade).

Example: Updating a CARP HA Cluster
Running a redundant Active/Passive cluster leads to the expectation to have zero downtime. To keep the downtime at a minimum when running updates just follow these steps:

Update your secondary unit and wait until it is online again

On your primary unit go to Interfaces ‣ Virtual IPs ‣ Status and click Enter Persistent CARP Maintenance Mode

You secondary unit is now MASTER, check if all services like DHCP, VPN, NAT are working correctly

If you ensured the update was fine, update your primary unit and hit Leave Persistent CARP Maintenance Mode

With these steps you will not lose too many packets and your existing connection will be transferred as well. Also note that entering persistent mode survives a reboot.

Any help?

Thank you Moviech for the comprehensive reply!

I just added the same vhid value to IP Alias IP addresses.
For now, I'm satisfied with this setup, thanks again.

Hello there,
I configured two OPNsense firewalls (23.1.6) in HA mode.

My ISP provides a public subnet X.X.X.X/28, so I have one fixed IP configured on my WAN side, a virtual IP for HA in CARP mode and several public IP Alias on which several services are port forwarded to our internal servers (please see the attached image).

My question is (due to the fact that I'm not able to find anything in the manual about multiple public IP and OPNsense HA): is this High Availability setup correct from a WAN prospective? Have I handled those public IPs correctly? Thanks!