Messages

Would it be possible to foresee or integrate with knocknoc.io? That's a much better knocking option as it has the possibility of using an IdP to do the authentication PRIOR to do any opening of ports.

Don't know if that would be a possibility... but it would definitely be nice to have :)
That way it is no longer security through obscurity, and at the same time we're implementing JIT (Just-In-Time) access.

WAN interfaces have direct connection to the ISP router (which has 4 ports and I'm currently using 2 - one per each OPNSense).
I am using multicast, yes.

I still get the BACKUP -> MASTER (master timed out) after a while on that WAN CARP IP...

Nevermind... Spoke too soon... second node still gets MASTER on the WAN.

I have no idea what could be going wrong really.

Reading from all the replies here I found out that the issue seems to have been the ICMP ping being blocked on the WAN interface.

Once I was able to ping each of the nodes through the WAN interface it seems that CARP IP on WAN became stable.

Thanks for the help! Hope this helps someone else having the same issue.

Hi Everyone!

So, my setup is as follows:
2 OPNSense virtualized on Proxmox with 1 vNIC and 2 physical host NICs assigned.

The vNIC is trunked and has multiple vLANs crossing it, no issues there, everything's working wonderfully (CARP and the lot work fine there).

Then there's 1 NIC dedicated to the WAN connection (and this is the one's acting a bit tricky... more in a sec) and 1 NIC dedicated to CARP between the 2 VMs.

CARP's vIP configured for the internal LAN networks (multiple vLANs) and everything's sort of alright... but the WAN connection is just acting weirdly.

Whenever I enable CARP on the backup machine, all vIPs get on BACKUP mode, but a few second (minutes) later, WAN gets into MASTER, while on the main Firewall, it's also at MASTER!

I've checked physical cables, I've checked firewall status and logs but nothing comes up really as being blocked at any point...
attached the images of the configs.

On the log I see this:

Code Select Expand


2024-11-24T19:26:56 Notice opnsense /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member " (192.168.17.2) (2@igb0)" has resumed the state "MASTER" for vhid 2
2024-11-24T19:26:56 Notice kernel <6>carp: 2@igb0: BACKUP -> MASTER (master timed out)
2024-11-24T19:22:35 Notice opnsense /usr/local/sbin/pluginctl: plugins_configure crl (execute task : openvpn_refresh_crls(1))
2024-11-24T19:22:35 Notice opnsense /usr/local/sbin/pluginctl: plugins_configure crl (execute task : core_trust_crl(1))
2024-11-24T19:22:35 Notice opnsense /usr/local/sbin/pluginctl: plugins_configure crl (1)
2024-11-24T19:22:35 Notice opnsense /usr/local/sbin/pluginctl: plugins_configure crl (execute task : openvpn_refresh_crls(1))
2024-11-24T19:22:35 Notice opnsense /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member " (192.168.18.2) (10@vtnet0_vlan10)" has resumed the state "BACKUP" for vhid 10


An interesting aspect is that I don't even have OpenVPN configured, so I don't know wth openvpn wants with the lot but... OK...

I must admit I am lost... I don't know why this is happening and why it doesn't "see" that the other node has the WAN vIP up!

As a final point on the architecture explanation, in front of the 2 FW there's an ISP router which works absolutely fine and it has been working for years without a problem on the other *Sense firewall software.