Messages

Well maybe wrongly but I assumed that HA on OPN was possible for a single WAN. The docs https://docs.opnsense.org/manual/how-tos/carp.html show all IPs used for the HA setup are non-routable and show a single WAN link at the front of the router/switch.
So clearly it needs a router to route from WAN to LAN(s)/VIPs but I admit having revisited now, I'm unclear.

There's a thread here that has a bunch of folks trying/working on it (and a git repo with a few forks) using scripts to overcome the need for CARP on the WAN interface when only a single DHCP IP is available there (such as a home internet connection) - essentially you copy the WAN mac of the primary to the secondary and leave that interface shutdown.  When a CARP failover is triggered, the interface is brought up and the same DHCP lease is still valid.  There'd still need to be an ARP on the broadcast domain to update the forwarding tables in the local switch (/bridge in the case of a VM) for the new port, but there'd still be minimal impact.

Isn't HA primarily supposed to help against hardware failures? By putting both VMs on the same host, you won't gain much.

That's certainly the main benefit.. Though I'm thinking the "nice to haves" like seamless restarts for patches/upgrades/etc would be a useful addition.  It's just quite a bit more complicated a configuration.

I might just 'start it simple' to get a single node up and running, then if I'm still feeling keen I can replicate it and work on getting a second going.  My concern there was that I might need to put some more serious thought into how the hosts interfaces are setup and forwarded to the VM(s), but the more I look at it the more it seems like a simple linux bridge interface would do fine.

Greetings all, in the process of going through this myself, and I'm pondering the question of HA

My setup is just home/soho with DHCP on the WAN and a wireless WAN (USB dongle) as backup - the Proxmox host can handle the 'USBness' and present a standard network interface the hosts can use.

My query is around HA... I have it in my head that running a pair of OPNsense VMs on the same hardware would allow for failover between the two virtualised devices, which obviously doesn't protect from hardware failures but can allow for upgrades/maintenance/etc without interruption.  I've seen a few threads around on CARP + DHCP on the WAN interface (which I'd need to address), but I'm wondering if overall I'm vastly overcomplicating things... The wireless backup does masquerading in itself and has comms on 192.168/16 so that's happy to just live on a linux bridge with the VMs, and I can live with the double-NAT for that backup scenario.. The primary wired WAN though is a standard ISP DHCP (single lease available) so as I understand it, CARP there would be a problem - I've seen there are scripts around though to handle that failover via shutting down the WAN on the backup, which uses a duplicated MAC to carry the lease and ARP over.

As I said, I kinda feel like I might be overcomplicating things... I'm also considering that the host's 16GB of RAM being split to 2x 8G VMs may be a limitation if I start dropping in additional features like Suricata/Zenarmor/etc..

Are there any sort of recommendations/advice around on whether there's a "smart" way to do this or if I'm just being stupid?