Messages

You configure a CARP address on the Internet facing (WAN) interface and use that as the endpoint for your IPsec tunnel(s). Connectivity will move with the CARP address in case the primary node fails.

Did you setup your HA cluster following the documentation? So you have a HA/CARP address on all interfaces?

Yes I've got my HA cluster configured as per the documentation. My concern is not the OPNsense node failing but the other end. Be it a hardware failure or ISP being down, I am trying to get my OPNsense cluster to have a secondary IPSEC connection going to the opposite site, to their secondary connection.

Hello everyone,

I have two Deciso DEC2752 units in a HA configuration that I am soon about to deploy.

At this moment I am nearly ready except I need to figure out how to configure my OPNsense deployment so that if my primary IPSEC VPN connection goes down, the secondary IPSEC VPN connection will establish.

The remote end are two Versa-SDWAN appliances. Versa #1 has one ISP connection and Versa #2 has the other IPS connection. Both ISP connections are for separate ISPs for redundancy.

Right now, my OPNsense cluster is configured for IPSEC VPN to Versa #1 Public IP. I can power off one of my OPNsense units and the other kicks in as expected.

But for whatever reason I cannot seem to figure out how to apply some kind of metric/weight to keep the primary IPSEC tunnel active and failover to the other IPSEC tunnel if my primary versa is down.

Would anybody be able to point me into the direction on what to read or how to accomplish this?


Thank you!

Hello everyone,

Our organization uses Cisco Umbrella for web filtering. Our our primary site (Home Office) I have two Cisco Umbrella Virtual Forwarders that are used for DNS resolution.

I am working on configuring and testing two DEC2752 units in a HA configuration for a remote office. The remote office will connect to Home Office via IPSEC site to site VPN connection.

This remote office is small enough that there is not and won't be any server onsite. Due to this, I want our web traffic from the remote site to traverse the VPN tunnel back to the home office.

Now, in the event that the VPN tunnel is down, I want to use Cisco Umberella public DNS IPs.

The remote office staff get their IP addressing/DNS information VIA AD/DHCP. This of course won't work when the tunnel is down.

I was thinking that I might be able to configure the public DNS IP addresses in the OPNsense System/General settings but I am not sure if that would help.

Within OPNsense, I have not configured Unbound/DNSMasq.

Any suggestions with my current configuration on what I can do to keep web traffic flowing if IPSEC is down?


Thank you,

Well I guess I'll document this myself.

Frusterated by this, I factory reset both devices, logged in, deleted the LAN interface and setup my core VLAN. Setup my public IP addresses for each device, the gateways and left them connected to the internet.

Not configured in HA, both devices show regular activity for their WAN gateways. Again, not going to disable gateway monitoring as I want to see the status/functionality of my gateway.

FW #1:


FW #2:



So this looks normal to me. I know my ISP (Bell Canada) and my service is stable since I have other services (VPN) using the same static IP range connected to a different firewall.

I will leave this connected over the weekend and check in and see how it is going. I suspect something was mis-configured but I'm a bit surprised that following the guides I did had me experience this.

I do think the OPNsense team needs to work on their community building more. Lack of support/interaction on many posts (not just mine) doesn't drive users to donate or buy official hardware.

[FW#1:]

Hello team,

I have two DEC2752 units I'm working on for our remote office. Both are configured as HA. For some reason, the primary/master unit is often showing my WAN Gateway down, when it is not.

I've got a /27 subnet with 3+ available public IPs that I am using. No IPv6.

Between my ISP router and the HA cluster, connectivity is to a basic HPE wan switch. I have my ISP connection on a VLAN and the OPNsense WAN connections are untagged/access to that VLAN.

I've reviewed my HA settings and everything looks fine but I'm not sure why this is occurring. I have enabled gateway monitoring (why would I want it off?) and only monitoring my ISP gateway.

Here is what I see in Reporting --> Health --> Quality = WAN

FW#1:







FW#2:









I have confirmed that my ethernet cabling is tested good and I don't have any funky configuration on the wan switch (it acts as a dumb switch to forward traffic, nothing special configured on it).

I'm really not sure where to go from here as I know my WAN connection is 100% fine since we have another connecting using an available IP from my /27 block, providing a critical service and it doesn't go down.


Thank you

["Always create Carp VIPs with the same subnet mask as it's parent interface. If the parent interface is /24, your Carp VIP should also be /24. Even though some sources claim that /32 will work, services like DHCP Failover will fail with peer holds all free leases."]

Hello everyone,

I was looking to get some clarification on OPNsense HA/CARP settings as I've got two units I'm building for a remote office.

Connectivity from this remote office will be via IPSEC VPN back to HQ. No local DHCP will be used. DHCP will be provided by my AD DHCP servers for the time being.

1) "Always create Carp VIPs with the same subnet mask as it's parent interface. If the parent interface is /24, your Carp VIP should also be /24. Even though some sources claim that /32 will work, services like DHCP Failover will fail with peer holds all free leases."
https://docs.opnsense.org/manual/how-tos/carp.html#adding-multiple-carp-ips

My Core VLAN is a /28 and I assign .1 and .2 to be my OPNsense devices. .3 will be my Core VLAN Virtual IP.

The rest of my VLANs at this location are /24. So with the above documentation stating to use the same CARP Subnet Mask as the parent interface (Core VLAN = /28), is this a real issue if I have CARP IPs set for the rest of my VLANs as /24?


2) "When designing a high-availability CARP setup, the underlying switch infrastructure plays a critical role in ensuring proper failover and performance. Both firewall nodes should ideally reside in the same Layer 2 broadcast domain and preferably within a unified switching fabric."

I just wanted to confirm this. My two OPNsense firewalls will reside on VLAN 1100 (CORE VLAN) while my switch IP is part of my VLAN 32 (MGMT VLAN). The Default Gateway for VLAN 32 is the CARP IP of VLAN 32 (10.103.32.3) and the ports from the switch to each OPNsense FW are tagged with the required VLANs.

This should be fine, just want to clarify this as my broadcast domain for VLAN 1100 (Core VLAN) will have both OPNsense firewalls part of it.



3) I'm not clear on the impact on both firewalls and connectivity if one VLAN/interface doesn't have a rule to allow CARP packets.

Commenting to see how this works out as I have nothing to help with.

[Insight]

Hello OPNsense team,

As an OPNsense user at home and slowly working to deploy it out for some of our smaller sites, a nice to have feature would be to have a dashboard widget, similar to the Firewall Live View but allow it to show representation of maybe 24 hours/x days.

I realize that maybe this data can be sent off to a data collector but it would be nice and convenient if there was something on the dashboard that showed not just live but statistics from a period of time.

While working on a new OPNsense deployment and testing/reviewing what is being blocked, its much easier to see this from the dashboard widget currently versus the actual live log. It just makes it difficult when the dashboard widget resets every time the page is reloaded.

I realize there is the Insight setting under Reporting but it would be nice to have this type of data on the dashboard for quick overview.

Is there a reason that the team hasn't deployed this? I bet there are higher priority items but I would like to see what others think regarding this.

Edit: I realize I can go into Firewall --> Log Files --> Overview but this doesn't show time periods (1h, 2h, 12h, 24h, etc...).

It would be nice to have this data easily visible from the dashboard. My old simple Cisco ASA5505 had this ability and that thing has 128mb of memory!

Edit 2: If the dashboard Firewall widget would stop refreshing every time the page refreshed, that would be nice. What is annoying about this widget is that the colors of the firewall rules changes each time the page is refreshed.

So if my eyes are quickly focusing on Red for Block - WAN to LAN Emerging Threats, when I refresh the page, it will change each time.

Its a nice widget but I personally think it needs to be reworked to provide better and consistent data.

Thanks

Add another user that is having this issue.

[100723] <Error> -- Just ran out of space in the queue. Please file a bug report on this   

[Edit:]

Hello everyone,

I'm working on building out the configuration for our new Deciso DEC2752 that will be going into a remote office.

Between HQ and remote office, I would really want to use DHCP relay inside the IPSec VPN tunnel so that the workstations and users at the remote office get IP addressing from our DHCP servers at HQ.

I came across past posts about some issues with this type of configuration but I'm not clear if it was a configuration issue or a problem within FreeBSD/OPNsense.

As I have the business license with our unit, I'm sure we will be using ISC DHCP.

Does anybody have any recent experience with the latest versions of OPNsense and DHCP relay inside IPSec VPN?


Thanks


Edit:
From reading this post: https://forum.opnsense.org/index.php?topic=39555.0

"We're moving to OpenBSD's dhcrelay (the development version migration is done) which can theoretically handle layer 2 and layer 3 relay, but there are no plans to start dashing out layer 3 relay support in OPNsense. We did always require a layer 2 device to relay from."

My remote site would be:

OPNsense FW --> Aruba L2 2530 Switch.

The aruba switch allows me to set ip helper-addresses on each vlan.

So if I set my DHCP server IP for each VLAN ip helper-address entry per vlan on the switch, does this sound like it would work? This way I don't have to configure DHCP relay in OPNsense and use my L2 switch for that instead.

The remote site is about 2 hours away so I'm trying to understand how to make this work, test it and deploy it.

For anyone else looking for this uncheck the AUTOCOLLECT box and you will be able to set gateway and dns.

Thanks for posting this!

Hey intelliIT,

Did you get anywhere with this? I'm in a similar situation and came across your thread just now.

Now, nda1 (the new drive) may have been formatted and used in another random PC so I'm unsure if its an issue with formatting?

Can you try wiping the new drive first (sure you do it on the right device! Backup is always a good idea, of course):

As mentioned in OPNsense Forum: Formatting whole disk before installation, try destroy the disk and delete the first 1M of the drive:

Code Select Expand

gpart destroy -F nda1
dd if=/dev/zero of=/dev/nda1 bs=1M count=1

Thank you,

That doesn't seem to work.

Code Select Expand

root@OPNsense:~ # gpart destroy -F nda1
gpart: arg0 'nda1': Invalid argument


I did a bit more searching around and I came across a similar issue on a different system-forum:
https://www.truenas.com/community/threads/create-new-pool-ends-with-error-command-gpart-create-s-gpt-dev-ada0-returned-non-zero-exit-status-1.77775/

I did set

Code Select Expand

sysctl kern.geom.debugflags=16

and then I ran

Code Select Expand

gpart create -s gpt /dev/nda1
After that, I then was able to proceed with the instructions for adding the second NVME disk to Opnsense.

Now it looks like everything is complete.

When I go into zpool status, I can see both nda0p4 and nda1p4 listed.

Code Select Expand

root@OPNsense:~ # zpool status
  pool: zroot
 state: ONLINE
status: Some supported and requested features are not enabled on the pool.
        The pool can still be used, but some features are unavailable.
action: Enable all features using 'zpool upgrade'. Once this is done,
        the pool may no longer be accessible by software that does not support
        the features. See zpool-features(7) for details.
  scan: resilvered 2.33G in 00:00:04 with 0 errors on Sat Mar 22 10:59:11 2025
config:

        NAME        STATE     READ WRITE CKSUM
        zroot       ONLINE       0     0     0
          mirror-0  ONLINE       0     0     0
            nda0p4  ONLINE       0     0     0
            nda1p4  ONLINE       0     0     0

errors: No known data errors


Thank you,

Hello everyone,

I have the CWWK N100 and I'm looking to add another NVME drive into it just for redundancy as I have the spare drives.

I have been looking at these instructions (https://forum.opnsense.org/index.php?topic=32650.0) which seem simple enough but I'm getting hung up on the steps to copy the partition table.

Code Select Expand

"gpart backup ada0 | gpart restore -F ada1"
When I run geom list disk, I see both of my drives showing:

Code Select Expand

root@OPNsense:~ # geom disk list
Geom name: nda0
Providers:
1. Name: nda0
   Mediasize: 500107862016 (466G)
   Sectorsize: 512
   Mode: r3w3e6
   descr: KINGSTON SNV2S500G
   lunid: 00000000000000000026b76865cfcd85
   ident: 50026B76865CFCD8
   rotationrate: 0
   fwsectors: 0
   fwheads: 0

Geom name: nda1
Providers:
1. Name: nda1
   Mediasize: 500107862016 (466G)
   Sectorsize: 512
   Mode: r1w1e1
   descr: KINGSTON SNV2S500G
   lunid: 00000000000000000026b7686c0a0ee5
   ident: 50026B7686C0A0EE
   rotationrate: 0
   fwsectors: 0
   fwheads: 0

Code Select Expand

root@OPNsense:~ # gpart show
=>       40  976773088  nda0  GPT  (466G)
         40     532480     1  efi  (260M)
     532520       1024     2  freebsd-boot  (512K)
     533544        984        - free -  (492K)
     534528   16777216     3  freebsd-swap  (8.0G)
   17311744  959461376     4  freebsd-zfs  (458G)
  976773120          8        - free -  (4.0K)
My opnsense is installed on nda0 but when I run the command to start copying the partition table, I get an error stating:

Code Select Expand

root@OPNsense:~ # gpart backup nda0 | gpart restore -F nda1
gpart: geom 'nda1': Operation not permitted
Now, nda1 (the new drive) may have been formatted and used in another random PC so I'm unsure if its an issue with formatting?

I don't think that it is related to formatting but I'm not entirely sure.

Has anybody else ran into this issue?

Here is also a new tutorial section that explains the best practice way to connect the OPNsense to a managed switch: https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

If anybody finds issues with this guide, feedback and PRs are welcome as always.

Thank you very much.
As basic as this was, it didn't click despite me doing this before but I must have been trying too many things at once and confused myself.

I set igc3 to be my recovery port (VLAN102) and once I was in there, I deleted the default igc1 LAN assignment and created the VLANS and assigned them to igc1.  Enabled the interfaces, created some basic rules and setup DHCP and I'm good now.


Thank you everyone for the help. I'm sorta slow with new things.