Messages

Forgive me, and allow me to rephrase my question.

If ISP1 where to go down (and FW1 remains up), is it possible for OPNsense to route internet over ISP2, even though ISP2 is exclusively plugged into FW2?

Excellent. Thank you for the reply.

So, in my case ISP1 is connected to FW1. And, ISP2 is connected to FW2.

If ISP1 were to go down, is it possible to failover to FW2 and ISP2, even though FW1 is still up?

Hi Gents,

I have two OPNsense firewalls on hardware that only has two physical NICs. I have two internet connections, each internet connection connected to one firewall.

There's no option to add an additional NIC to the firewalls, unfortunately. The goal is to eventually replace the firewalls with more suitable hardware. But that's a project for 6-12 months from now. My goal is an OPNsense in a high availability cluster. I want to be able to take a firewall down for patching, and firewall and internet will failover to the 2nd OPNsense firewall.

All of the OPNsense HA tutorials assume a 3NIC configuration. Can I accomplish the same on a 2NIC configuration? The setup is as follows:

My thoughts were that FW1 & FW2 would each have NIC1 dedicated to the WAN. NIC2 would be connected to an unmanaged switch, where I would use VLANs to split LAN and CARP traffic. What's your thoughts about this configuration? Possible? Would you make any changes? What would they be?

I explored that option, but decided not to go that route. Didn't like the idea of multiple HAProxy server (potentially running at different versions). And, trying to keep my OPNsense server as "clean" as possible, with only the core services running on it.

Anyone else, please?

We have OPNsense sitting between our internal network and the Internet. Once allowed through OPNsense, inbound web requests coming in from the Internet to our web servers are proxied by 2x HAProxy servers. Is there a way to get OPNsense to perform regular "Healthcheck" monitors to the HAProxy servers to ensure that the servers are healthy, and prepared to serve requests? Ideally OPNsense should perform regular HTTP requests, and close the path to the faulting HAProxy server (e.g. http://ip.to.haproxy.server/I/am/healthy). But, at this point, I'll settle for a simple PING test.

Forgive me if this is obvious, but I haven't found anything after 2HRs of searching...

[easy]

If you are a n00bie like me, and are coming across this article... I figured it out. Below are the steps:

• Install OpenVPN Access Server (OpenVPN AS) on a Virtual Appliance or Dedicated Device.
• On your firewall, "Pinhole" the OpenVPN port through the firewall (usually UDP Port 1194).
• Update the hostname to OpenVPN AS to a DNS entry that is accessible locally (e.g. 192.168.x.x) and globally (123.456.x.x).
• Get an SSL certificate from LetsEncrypt, and configure automatic renewals (guide).
• In OpenVPN Access Server, configure SAML Authentication with your Identity Provider (IdP) of choice (e.g. Entra, Google, IBM Verify, etc.)
• With OpenVPN Access Server, configure your Access Control policy via User Permissions or Group Permissions
• Use your phone to test the if your SAML authentication and OpenVPN Access Control policies are working.

As for forum moderators and OPNsense developers, I think it would be helpful if within your documentation you emphasised that OpenVPN Access Server is an easy option for organisations looking to implement a MFA-protected VPN solution. IMO everything on the web points to using OpenVPN embedded into OPNsense, making organisations think that authentication via RADIUS and LDAP are the only options.

Personally, for VPN I think it is safer to limit the number of times end-users need to enter their username/password. Instead, each time they access they should complete a push/biometric challenge. Since re-authentication is so much faster, you can make your VPN disconnect after a few minutes of inactivity. And, end-users can't really complain since reconnecting is so simple. OpenVPN AS as a FREE license that allows 2 concurrent connections. After that you have to purchase a subscription, which is reasonable, all things considered.

We have replaced our Fortinet FW with OPNsense. One of the outstanding things is get VPN back up and running. With the Fortinet VPN we were using SAML for Authentication, and I'd really like to continue to do that for ease of use by our end-users. It seems like we need to implement OpenVPN Access Server to have SAML authentication (source).

I've scoured the internet for the past 2HRs, no luck finding a guide for deploying OpenVPN Access Server and configuring it to work with OPNsense. Can someone please refer one for me?

Also, if we deploy OpenVPN Access Server, can we still configure an a Site-to-Site IPSec VPN *on OPNsense*? Or, does configuring the OpenVPN Access Server disable the OPNsense Site-to-Site VPN feature and offload all VPN to OpenVPN Access Server?

Ideally, I would like Site-to-Site to be done through OPNsense. And, end-users to VPN using OpenVPN Access Server, authenticating using SAML authentication.