Messages

Hi all,
we use opnsense in our cloud IaaS provider (a based Xen solution Vates).

So we set up two instances with their own IPs in each VLAN, adding VIPs in carp mode with different group IDs.
We synchronize states and xmlrpc config via a SYNC VLAN.

Everything seemed to work fine during our tests, but as soon as we opened up the system to customers with a heavier load, we noticed a lot of timeouts and lost connections.
This only happens when both firewalls are on. As soon as we switch off the 2nd firewall everything works perfectly. I think there's a problem with the states.
Configuration level:
- each interface where there is a VIP CARP has a firewall rule to authorize CARP from any source/destination
- SYNC interface authorizes any IPV4 source and destination on the SYNC network
- SYNC's interface also authorizes CARP from any source/destination
- We sycnhronize "Aliases, DHCPD, Firewall Rules, NAT, static routes, Unbound DNS, VIP, Wireguard".
- some NAT/FW rules have the option of not synchronizing their conf via xmlrpc because they are "local" to the firewall

Hi all,
I have a problem with traffic going through opnsense with HA when both Opnsense are up: any traffic of a large enough size (e.g. download of a 500MB file) is stalled after some transfert: the transfer starts and then freezes. If I switch off the 2nd Opnsense (backup instance) then I have no more problems.
It's a simple transfer between 2 vlans that crosses the opnsense.
Opnsense are in HA, so the gateways of these vlans are IP CARPs. But even if I use the ip of the Opnsense master instead of the CARP, I have the same problem. Probably a misconfiguration somewhere, but I can't put my finger on it.

Hi all,

I'm seeing filtering problems and I wonder if this is due multi-vlans / routing, filtering and states.
let me explain my configuration, with 2 opnsense in HA


- I have several server groups: web, db, haproxy, ...

- Each server has an address in the 192.168.0.0/24 LAN (which I call vlan back) for SSH access by administrators to these servers, as well as the
NAT output to the Internet. The default GW on this network is 192.168.0.254, which is a VIP CARP with NAT to the Internet.

- Each server group has its own vlan (which I call vlan front), for example web 10.10.0.0/24, data 10.10.10.0/24, haproxy 10.10.100.0/24. It's on this VLAN that services (http for web servers, for example) are exposed and filtered. For each of these vlans, there is a GW (VIP CARP) x.x.x.254 to enable routing between these vlans. And each server has a network route:
10.10.0.0/16 via x.x.x.254 <- it's own gateway in its own vlan, for example 10.10.0.254 for web servers.

- I have filtering rules between vlans, for example I authorize "WEB net" (10.10.0.0) to connect to TCP port 27017 on "DATA net" (10.10.10.0)

All this seems to be working, except that we're seeing very randomly in the logs connections that don't go through (timeout) and on opnsense logs there is some blocks on connections that are actually authorized (e.g. web to data port 27017) with TCP flag R.

I'm wondering if there isn't some kind of asymmetrical routing, with each VLAN having its own GW in its network. But I've tried disabling the "states rules" in the filtering rules and it's no better.

Translated with DeepL.com (free version)