"
I'm running an OPNsense HA cluster using CARP.
All clients behind OPNsense have stable internet access. Routing, gateway, and NAT are working correctly.
Important architecture detail:
The WAN gateway and NAT are handled by an upstream firewall (external to OPNsense).
This means OPNsense itself has just a single interface connecting to the upstream firewall.
The actual problem:
As soon as HA is enabled, OPNsense itself loses internet access:
Before enabling HA synchronization (in standalone mode), the OPNsense system had no issues reaching the internet.
Dashboard announcements, update checks, and pings to external targets all worked fine.
After enabling HA, OPNsense no longer sends any self-originated traffic over the virtual interface to the WAN firewall.
In the live log, no traffic originating from OPNsense itself (DNS, updates, etc.) is visible on this interface.
However, client traffic toward the upstream firewall (and therefore the internet) is fully visible and works perfectly on the same interface.
Does anyone know what I might be missing or doing wrong? Am I perhaps making a common mistake when setting up HA with an external NAT gateway?
Thanks in advance!
————————
OPNsense 25.1.9_2-amd64
FreeBSD 14.2-RELEASE-p3
Open SSL 3.0.16
————————
OPNsense-01 (Main)
System → High Availability → Settings
• Disable Preempt: Checked
• Disconnect Dialup Interfaces: Not checked
• Synchronize All States Via: bge3 (dedicated interface on both machines exclusively for CARP)
• Sync Compatibility: OPNsense 24.7 or above
• Synchronize Peer IP: 10.0.12.2 (IP of interface bge3 on OPNsense-02, the backup node)
(The following settings are left empty or disabled on OPNsense-02)
• Synchronize Config to IP: 10.0.12.2
• Verify Peer: Not checked
• Remote System Username: username of OPNsense-02
• Remote System Password: password of OPNsense-02
• Services to Synchronize (XMLRPC): All
⸻
OPNsense-02 (Backup)
System → High Availability → Settings
• Disable Preempt: Checked
• Disconnect Dialup Interfaces: Not checked
• Synchronize All States Via: bge3 (dedicated interface on both machines exclusively for CARP)
• Sync Compatibility: OPNsense 24.7 or above
• Synchronize Peer IP: 10.0.12.1 (IP of interface bge3 on OPNsense-01, the main node)
All clients behind OPNsense have stable internet access. Routing, gateway, and NAT are working correctly.
Important architecture detail:
The WAN gateway and NAT are handled by an upstream firewall (external to OPNsense).
This means OPNsense itself has just a single interface connecting to the upstream firewall.
The actual problem:
As soon as HA is enabled, OPNsense itself loses internet access:
Before enabling HA synchronization (in standalone mode), the OPNsense system had no issues reaching the internet.
Dashboard announcements, update checks, and pings to external targets all worked fine.
After enabling HA, OPNsense no longer sends any self-originated traffic over the virtual interface to the WAN firewall.
In the live log, no traffic originating from OPNsense itself (DNS, updates, etc.) is visible on this interface.
However, client traffic toward the upstream firewall (and therefore the internet) is fully visible and works perfectly on the same interface.
Does anyone know what I might be missing or doing wrong? Am I perhaps making a common mistake when setting up HA with an external NAT gateway?
Thanks in advance!
————————
OPNsense 25.1.9_2-amd64
FreeBSD 14.2-RELEASE-p3
Open SSL 3.0.16
————————
OPNsense-01 (Main)
System → High Availability → Settings
• Disable Preempt: Checked
• Disconnect Dialup Interfaces: Not checked
• Synchronize All States Via: bge3 (dedicated interface on both machines exclusively for CARP)
• Sync Compatibility: OPNsense 24.7 or above
• Synchronize Peer IP: 10.0.12.2 (IP of interface bge3 on OPNsense-02, the backup node)
(The following settings are left empty or disabled on OPNsense-02)
• Synchronize Config to IP: 10.0.12.2
• Verify Peer: Not checked
• Remote System Username: username of OPNsense-02
• Remote System Password: password of OPNsense-02
• Services to Synchronize (XMLRPC): All
⸻
OPNsense-02 (Backup)
System → High Availability → Settings
• Disable Preempt: Checked
• Disconnect Dialup Interfaces: Not checked
• Synchronize All States Via: bge3 (dedicated interface on both machines exclusively for CARP)
• Sync Compatibility: OPNsense 24.7 or above
• Synchronize Peer IP: 10.0.12.1 (IP of interface bge3 on OPNsense-01, the main node)
