Messages

I'm getting these warnings in my logs in both Master and Backup servers. How to fix? Thanks.

Code Select Expand

radvd: our AdvLinkMTU on vtnet0 doesn't agree with fe80::192:168:1:1

- vtnet0 is my LAN
- fe80::192:168:1:1 is my VIP link local address setup according to https://docs.opnsense.org/manual/how-tos/carp.html#setup-virtual-ipv6-link-local-address
- IPv6 is setup as SLAAC
- MTU is left at defaults, not configured in any interfaces

Another Q.. what about my Wireguard setup?

- Do I need to set a different "Tunnel Address"? My FW1 is 192.168.8.1/24. Do I need to set 192.168.8.2/24 for FW2?
- Do I set the "Depend On Carp" field to 192.168.1.1 which is my VIP LAN address?

Thanks for straightening me out  :D Guess I thought FW2 should be a replicate of FW1 with the exception of the CARP related config. Still learning.....

BTW, I guess some people like me have problems with "pasting" screenshots is prob because most sites just allow you to copy and paste screenshots. Whereas this site requires you to first save the screenshots as a file and then "pasting" them as file attachments.

The site wont allow me to paste screenshots, so I'm attaching .pdf of the screens.

You cannot have the same IP address on both firewalls in that VLAN 10 ...

OK. I've attached jpeg's as attachments. Is this what you mean, set FW1 Static IP 192.168.10.1 and FW2 Static IP 192.168.10.2? Thanks.

The site wont allow me to paste screenshots, so I'm attaching .pdf of the screens.

Please post the interface configuration of both firewalls for that VLAN and the configuration of that CARP address.

New to this... is there a specific shell command to do this or will screen shots do?

FW1-        xx:xx:xx:db:9b:4c
FW2-        xx:xx:xx:68:dd:f0
VLAN10-  192.168.10.1

I'm on v24.1.10_3 and set up CARP following Opnsense's docs and it seems to be working with auto fail-over.

BUT I keep getting this Notice in FW1 logs complaining about FW2 using its IP address:

Code Select Expand

<3>arp: xx:xx:xx:68:dd:f0 is using my IP address 192.168.10.1 on vlan0.10!

Due to this, my VLAN0.10 keeps getting disconnected. This goes away when I poweroff my FW2. How do I fix this? Thanks.

I struggled a bit too but followed the steps on this post https://forum.opnsense.org/index.php?topic=32741.0 and it worked for me. But I use SLAAC instead of DHCPv6 for the LAN. If you want SLAAC, for Router Advertisements, just set to "Unmanaged" and leave the rest as default.

I'm no expert but I noticed your prefix delegation size is 57. Is that correct? I typically only see 56 or 64.

With IPv4, I only have 1 external WAN IP address, so the DDNS update can be done at the router level. But with IPv6, I can have 5 servers with 5 different external IPv6 addresses.

Since most providers dont provide static IPv6 yet, whats the best way to update my AAAA entries at the DDNS provider? Do I run separate update bash scripts on each of the servers? And aside from setting up a cronjob for the update, how do I detect when the IP changes at the server level so I can trigger an update?

Thanks for sharing your experience on this. Now why didnt I think of this earlier??! ::) Guess my brain was only chasing the path of maybe there is a setup in Opnsense to point the 192.168.1.1 GW to 192.168.1.220! Your solution is simple and works.

FYI, I also posted this on the Reddit grp, hoping will get answer on either forum.

I managed to get High Availability/CARP working.

Firewall 1 IP: 192.168.1.1
Firewall 2 IP: 192.168.1.10
VIP LAN: 192.168.1.220

Now, my problem is with existing IOT devices (lots!) and Proxmox LXC/VMs which I have set up with static IPs/Gateways where the Gateway is pointing to 192.168.1.1. So, when I switch the Master over to 192.168.1.10, everything stops working. I can manually change all my existing devices Gateway to the VIP LAN IP of 192.168.1.220 but its going to be painful. Its also not a smart way of doing this in case I need to revert back to a single Firewall. Is there a smarter or simpler way of doing this? Googling didnt turn up anything. Thanks.