High Availability with 1 public IP address per WAN

[afan]

Hi guys,

My situation:
- ISP A: n=1 Public IP address, bound to a certain MAC address
- ISP B: n=1 Public IP address (though PPPoE)
- Latest OPNsense using different VLANs with WAN failover (i.e. VLAN 1 using ISP A by default, if not available then ISP B; VLAN 2 using ISP B by default, if not available then ISP A)

I'd like to use OPNsense High Availability so I can reboot my host easily.
Is that elegantly possible with just n=1 IP address per WAN link (out of which one is bound to a MAC address, which I can choose (once))?

Thanks!

[marcquark]

Not sure about the MAC address part, but it is possible to configure addresses from a private /30 range on the WAN interfaces of both HA member hosts, and have them share the only available WAN IP via CARP. That will involve manual outbound NAT though. Only the active cluster member will be able to access the internet through that primary WAN interface, and you'll need to account for that aswell (think updates).

I have no experience with PPPoE, but it may be worthwhile to just put something like a Fritzbox between OPNsense and your PPPoE line and share the connection between both OPNsense that way.

my 2ct: It's all doable but you'll need time to think it through and it's very easy to shoot yourself in the foot. HA setups are significantly more complex than non-HA setups, not only during installation but - crucially - also when having to troubleshoot. Do think twice whether it's actually worth it to gain a couple of minutes extra uptime in exchange for potential hours of downtime and headache when things go wrong and you're not prepared.

[afan]

Alright, understood. Dropping that plan then.

As an alternative, would following work?

• Have the latest & greatest config file available of VM1 at all times (maybe automatically generate & sync it somewhere?)
• For a planned downtime: spin up VM2 on a different system with same (fixed) virtual MAC addresses but NOT connecting the virtual adapters, except for 1 management adapter
• Import the config into VM2 through the management adapter
• Turn off the VM1; once down connect the virtual adaptors to VM2
• After the planned downtime: turn off VM2 and turn on VM1 again

Any comments?

[marcquark]

Sounds like a decent plan to me. If your OPNsense is virtualized then it should be easy enough to create a 1:1 replica and import the config like you suggest.

For keeping the most recent config around as a backup, take a look at the various available autobackup solutions. There's Nextcloud and Google Drive out of the box https://docs.opnsense.org/manual/how-tos/cloud_backup.html or git through a plugin (nice for keeping an accurate track of config changes) https://docs.opnsense.org/manual/git-backup.html