OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of spetrillo »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - spetrillo

Pages: 1 ... 7 8 [9] 10 11 ... 49
121
High availability / Re: Can I Use HA to Build Second Node?
« on: March 26, 2024, 03:59:48 pm »
Quote from: Patrick M. Hausen on March 26, 2024, 03:53:09 pm
You need to at least update to the same version as the production system, install all desired plugins, and create all interface configuration. It is critically important that you create the interfaces with the same names and in the exactly same order as on the production system.

So e.g. for my home setup:

Code: [Select]
[APP] opt8
[DSL] opt2
[LAN] lan
[RPI]   opt5
[SRV] opt3
[WAN] wan
[WG0] opt6
[WG1] opt4
[WG2] opt7
[WIN] opt1

Switch e.g. the assignment of opt2 and opt3 to DSL and SRV, respectively and funny and hard to debug failures are going to happen.

Yes Patrick...I have seen the issues. I checked the Interfaces Overview and everything matches, right down to the loopback. I have all the interfaces ready on both sides and will install the plugins on the second node.

Thanks for chiming in soo quickly. These nodes are VMware virtual nodes, via a cloud provider. I have been fighting weird gremlins in the HA setup and finally decided to go back to square 1 and build out the nodes once again.

122
High availability / Can I Use HA to Build Second Node?
« on: March 26, 2024, 03:49:13 pm »
Morning all,

I am in the process of beginning the build out of my second OPNsense node. Clearly I have some tasks related to the HA process, that I need to do on the second node. My question relates to all the services that are configured on the first node, like IDS/IPS, VPN, Firewall rules, NATs, etc. Can I just build out the first node completely and then sync configs to the second node? Will any plugins need to be installed on the second node explicitly?

Thanks,
Steve

123
High availability / OPNsense Hostname and HA
« on: March 26, 2024, 01:04:15 am »
Hello all,

I have a 2 node firewall cluster running but how does the FQDN of the firewall work with HA? My nodes are OPNsense1 and OPNsense2. Ideally I would like to setup OPNsense.fqdn and have it point to the Virtual IP of the LAN interface. How can I accomplish this?

Thanks,
Steve

124
General Discussion / Re: Zabbix Proxy 6.4 with 24.1.4
« on: March 22, 2024, 04:52:54 pm »
Quote from: mimugmail on March 22, 2024, 04:00:07 pm
Maybe you need to remove the sqlite db?

It looks like the proxy db has an issue: [Z3005] query failed:
  • database disk image is malformed [delete from proxy_history where id<2212890 and (clock<1711033903 or (id<=2212890))]


What confused me is that I uninstalled the proxy, so I would expect the db to be deleted? Is this not the case?

125
General Discussion / Zabbix Proxy 6.4 with 24.1.4
« on: March 22, 2024, 03:23:17 pm »
Hello all,

Is anyone having issues with the Zabbix proxy v6.4 on OPNsense 24.1.4? I cannot seem to keep the proxy running. It errors out on what looks to be a FreeBSD error from 2016. Wondering if anyone else is running into this.

Thanks,
Steve

126
High availability / Re: CARP and Multiple Internal Interfaces
« on: March 21, 2024, 04:38:33 pm »
Seems to have done the trick!

Now one last question. On one guide I read the following:

VMware ESXi: Activate Allow forged transmits and Allow MAC changes. If necessary, Promiscous Mode must also be activated. Additionally, the os-vmware plugin can be installed.

Is this still true? Reason I ask is I am using a VMware cloud provider and they have told me they cannot enable these for me. These would have to be enable on each hypervisor, for all clients.

127
High availability / Re: CARP and Multiple Internal Interfaces
« on: March 21, 2024, 04:30:15 pm »
Hmmm...I thought that could be the case.

Ok now how to figure out where the split brain is going on. Under System/High Availability/Settings should Disable Preempt be checked on the backup node? I also noticed the advbase on both nodes was the same, so I adjusted it to 100 on the backup node.

128
High availability / Failover Test
« on: March 21, 2024, 03:51:48 pm »
So I did a test of failover between two nodes. I shut down the primary node, expecting the secondary node to take over, but it did not. Where should I look for any messaging that would lead me to understanding why the failover did not work?

129
High availability / Two HA Questions
« on: March 21, 2024, 03:33:33 pm »
Hello all,

Dipping my toes into the HA world of OPNsense. So far its gone well but I have a couple of questions:

1) On the backup node should I check Disable Preempt or leave it unchecked. The documentation I have read has me confused on this. Right now I have it checked.
2) Zenarmor put out a pretty good document on how to go about implementing high availability(https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-ha-on-opnsense) but in this document they indicate to set advskew value higher but I see no way of doing that on the backup node.

Thanks,
Steve

130
High availability / Re: CARP and Multiple Internal Interfaces
« on: March 21, 2024, 03:27:30 pm »
Quote from: Patrick M. Hausen on March 21, 2024, 02:59:48 pm
You mean like the CARP dashboard widget?

I use the CARP dashboard but I would like to see a different one for the backup, indicating where the master is. Right now the dashboard on the secondary node is the same as the primary node. First screenshot is the primary and second screenshot is the secondary.

131
High availability / Re: CARP and Multiple Internal Interfaces
« on: March 21, 2024, 02:17:55 pm »
I get it...I just wish there was a more informative way of saying it, or have a dedicated CARP dashboard for the backup node/s that tell you where the master is.

132
High availability / Re: CARP and Multiple Internal Interfaces
« on: March 20, 2024, 07:59:55 pm »
All good then...yes the master node is showing the backup at the top of the status page. I also checked the logs and pfSync seems to be working fine....woo hoo!

One last question...for those who run Wireguard...do you set CARP to the WAN? That is what I did, so if the WAN fails over then Wireguard will go with it.

133
High availability / Re: CARP and Multiple Internal Interfaces
« on: March 20, 2024, 07:52:27 pm »
OK making progress...but...

When I go to System/High Availability/Status, on the backup node, I have a message that says the backup firewall is not accessible or not configured. Is this ok? The master node seems to be happy.

On additional thing to note...these nodes are VMware virtual machines.

134
General Discussion / Gateway Dashboard
« on: March 20, 2024, 05:27:08 pm »
Hello all,

Does anyone know how the RTT and RTTd stats are being generated? Are they coming from hitting the gw IP in the dashboard?

Thanks,
Steve

135
24.1 Legacy Series / NTP Status
« on: March 20, 2024, 02:21:23 pm »
Morning all,

I dont know if this is a 24.1 issue or if it has been around for a bit but currently all OPNsense NTP pools are showing as unreachable / pending. Is there a problem?

Thanks,
Steve

Pages: 1 ... 7 8 [9] 10 11 ... 49
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2