Topics

Sorry I don't mean to hijack this thread, but my question is along these same lines. 
I too am running HA/CARP and for DHCP I'm using ISC. 
I have the failover IP set to the other opnsense IP as needed. 
In HA I have DHCPD included in my  XMLRPC Sync. 

This works out great and seems to keep the failover IP set correctly on both nodes. But is changing the failover split each time the sync runs (I have a cron job). 
The info on that field says on the backup I should leave it blank, but then each sync it changes this to match the primary (256). 
Question comes down to should I just remove DHCPd from the  XMLRPC Sync? Or is something else wrong....
Additional question should I also stop other services that have their own HA settings from being included in the  XMLRPC Sync? HAProxy as an example, and prob others I'm not thinking of?
Is there any kind of definitive list of applications that sync themselves vs using XMLRPC?

New to HA with opnsense so learning. Used AI to help with some, but obviously that leaves things out.
I have gone over the documentation, and apparently am still missing something.
On my primary OPNsense I see the attached screen. Does this indicate that the backup is not ACTUALLY in "backup mode" since all the services appear to be running?

In https://docs.opnsense.org/manual/how-tos/wireguard-client-mullvad.html#
Under Step 1 there is a paragraph:
"On Peers tab create a new Peer, give it a Name, set 0.0.0.0/0 in Allowed IPs and set the DNS to 193.138.218.74. This is the one MulladVPN provides for privacy."
However in Peers in Opnsense there is not place to set DNS address...

In https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#step-6-create-a-gateway
There is a Blue note. Is the first paragraph still accurate, or did the option "Disable Host Route" fix this essentially?

I've been finding the UI for haproxy in OPNSense more difficult to configure than it was in pfsense.
This tells me I really don't understand haproxy well enough, so if my question is something that should be understood I do apologize.
I have a domain mydomain.com
At this time I have 2 servers I'm trying to send through haproxy(plex and ombi).
I believe I have all the firewall rules doing what they need to for forwarding.

I'd like any traffic for plex.mydomain.com to always go to the plex server
Anything else, including someone just typing https://mydomain.com go to ombi
With the config I'm including I seem to get ombi working one restart, then plex working on the next restart. Almost like the rules are in some sort of priority order that switches each time I restart haproxy.
Once I have these 2 working I will eventually add other services.

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin expose-fd listeners
    nbproc                      1
    nbthread                    20
    maxconn                     10
    tune.ssl.default-dh-param   1024
    spread-checks               0
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log /var/run/log local0 info
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tls-tickets
    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    ssl-default-bind-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

defaults
    log     global
    option redispatch -1
    maxconn 100
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: ombi (HTTPS Ombi)
frontend ombi
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 crt-list /tmp/haproxy/ssl/6029c02e5cc836.63584345.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: Ombi
    acl acl_6029bf280a2d50.77237914 hdr(host) -i plex.mydomain.com

    # ACTION: OmbiRules
    use_backend OmbiPool if !acl_6029bf280a2d50.77237914

# Frontend: 80_redirect (HTTP Redirect)
frontend 80_redirect
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    option httplog
    # ACL: HTTP
    acl acl_603205c7df9a30.32769784 req.proto_http

    # ACTION: http-redirect
    http-request redirect scheme https if acl_603205c7df9a30.32769784

# Frontend: Plex (HTTPS Plex)
frontend Plex
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 crt-list /tmp/haproxy/ssl/60de5b0e9afdd3.95063140.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: plex
    acl acl_6032c230647965.95880753 hdr(host) -i plex.mydomain.com

    # ACTION: PlexRules
    use_backend PlexPool if acl_6032c230647965.95880753

# Backend: OmbiPool ()
backend OmbiPool
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server Ombi 192.168.1.42:3000

# Backend: PlexPool ()
backend PlexPool
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server Plex 192.168.1.42:32400

listen local_statistics
    bind            127.0.0.1:8822
    mode            http
    stats uri       /haproxy?stats
    stats realm     HAProxy\ statistics
    stats admin     if TRUE

# statistics are DISABLED

I have OPNsense running as my firewall, all traffic on my network runs through it.
I've setup wireguard in OPNsense. It's just a client though, I use Torguard as the service providor for VPN. I am NOT trying to connect back into my network via wireguard. Just use wireguard to "protect" me.
Created the NAT-Outbound rule and all traffic on my LAN flows out via wireguard - this is good of course.
However I want to change it so only 1 IP on my network goes through the wireguard and everything else just goes out the WAN.
I'm using Hybrid in the outbound section.
Tried setting the source from LAN Net to the IP I want, but then all devices lose access to internet.
Also tried an alias(my ultimate end goal will be routing just an alias out my wireguard).

I've done searching but it's a mix of people wanting to connect to their own networks via wireguard and some only wanting entire network routed. If someone could point me to a how-to that's my situation, or similar, I'd really appreciate it!