Topics

I run a high availability setup with two OPNsense firewalls in failover mode. Each node only has a single WAN interface.

Yesterday, I decided to upgrade to 19.7.x (I was on 19.1.10), and like I usually do I start with the backup node. The first jump to 19.7 went fine, but when the upgrade was finished and the system had rebooted, and I tried to do the minor update to 19.7.3, I got "No address record found for the selected mirror.". I tried multiple different mirrors but with the same result. I eventually discovered that the system could not resolve DNS, and I then tried pinging 8.8.8.8 and I got "No route to host".

On Twitter @opnsense hinting at it being a multi-WAN issue that was fixed in 19.7.3, so eventually I ended up setting up a local OPNsense mirror, and having my backup node get the update from there, which installed fine. But after it had finished and rebooted, the problem persisted.

I have not yet upgraded the primary node, because if this problem were to also occur on that one, then I would bring myself into deep doo-doo.

What could be causing this? I saw something about gateway issues in other posts, and I tried enabling the option "Disable Force Gateway" under Firewall > Settings, but that did not resolve the issue.

At the moment, I have a couple of redundant OPNsense firewalls using a 2-port Intel NIC card, which has been causing be problems since last August, and I am considering replacing it with a functionally identical Mellanox card. Thus I was thinking, how would OPNsense react to the NICs being changed, and would it mess up the configuration? Or would it simply say "Hmmm, the previous NICs are gone, where should I put the LAN and WAN interfaces?" and be on its merry way?

[ix]

With it being stated that 18.7 has focused on stability, I decided to not wait for two or three point releases as I normally do before upgrading my company firewalls (A high availability setup of two firewalls).

However, the result was that none of my VLAN "interfaces" activate properly. On the main page, they are marked with red saying "Ethernet autoselect", and under System --> Interfaces --> Overview their status says "no carrier".

All of my physical interfaces activate without a problem, and I have WAN access (Which is through a physical interface), but none of my VLANs seem to work.

I have tried re-jiggering the interface assignments, so that the system would, I assume, re-write the VLAN configuration, but that did not fix things at all.

The VLANs are configured on an ix interface, and my switch reports that the ports going to the VLAN NICs are not active. Could this have something to do with the backported Intel NIC drivers of 18.7? Was the ix driver backported?

Does anybody have any suggestion as to what I can do to resolve this problem?

[S]

I am configuring two OPNsense systems in a high availability setup with CARP, pfSync, XMLRPC etc. for full redundancy. I have also installed my own self-signed certificates for the WebGUI.

When configuring things I noticed something that I am rather curious about. On screen in the sync settings it mentions to specify the full URL for the secondary firewall, and it gives an HTTPS sample URL. That got me to wonder, does XMLRPC ignore any certificate validation when sync the configuration or does it fail if it cannot validate the certificate of the other machine?