Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
FW VRRP master
« previous
next »
Print
Pages: [
1
]
Author
Topic: FW VRRP master (Read 2159 times)
fsebera
Newbie
Posts: 38
Karma: 2
FW VRRP master
«
on:
July 23, 2021, 09:40:57 pm »
My Backup FW always takes over the data flow when it is on line. It just occurred to me that VRRP uses the highest IP address when selecting the Master. And because my Backup fw was built second, it was given the higher IP addresses. Ahhhh Duh.
Sometime things are just too simple.
Sure would be nice is OPNsense had a control feature for VRRP.
Thanks
Frank
«
Last Edit: July 23, 2021, 10:07:28 pm by fsebera
»
Logged
lilsense
Hero Member
Posts: 600
Karma: 19
Re: FW VRRP master
«
Reply #1 on:
July 23, 2021, 10:15:13 pm »
did you follow this link to compare?
https://www.thomas-krenn.com/en/wiki/OPNsense_HA_Cluster_configuration
Logged
fsebera
Newbie
Posts: 38
Karma: 2
Re: FW VRRP master
«
Reply #2 on:
July 24, 2021, 03:44:50 pm »
Maybe I’m doing something wrong as my CARP VIPs are not reachable from any end-client. From what I have experienced, the CARP VIPs are for OPNsense HA use only. There are built-in CARP controls to set Master and Backup. The publicly available OPNsense examples lead the reader to believe CARP is all that is needed for HA failover when in fact it’s not. In the provided documents there are downloadable configurations the reader can use to setup their environment but again it doesn’t support the end-client data flow. When you think about why you have the firewall in the first place you quickly realize that if you don’t have data flow between client and Internet, why have a nice HA fw that doesn’t support user data flow redundantly. The truth is you also need alias VIPs and these are strictly for use by the end-clients. The LAN alias VIP is used as the end-client Default Gateway and the WAN alias VIP is used for the NAT address out and next hop for inbound communications from untrusted space. OPNsense employees VRRP for this feature but falls really short in explaining how this works. If fact, finding any OPNsense controls that even mention VRRP is not existent or hidden really well. I had to sniff the traffic to figure this out.
IMO, My guess is OPNsense is trying to compete in the big boy arena and I appreciate their efforts. But remember Cisco gave unlimited bend-over-backwards support and extremely well documented details of how their products worked in the beginning and it paid off. OPNsense is free but mostly focuses on the individual home user. The normal home user doesn’t have the skills, time or desire to become an expert, they just wanna surf the Internet.
IMO, If OPNsense wants to grow, provide useful documentation and real world examples that actually works.
Oh and thank you for your help, very much appreciated!!!!
Frank
«
Last Edit: July 24, 2021, 05:43:36 pm by fsebera
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
FW VRRP master