2 OPNsense routers

Started by dnll, September 27, 2023, 04:34:28 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 27, 2023, 04:34:28 AM
Hello,
I have WAN on my modem going to my first OPNsense box. I have another OPNsense box and I'm unsure how to proceed. What I want is to be able to patch/reboot one box without losing my network.
What is the best way going forward?
Thank you
September 27, 2023, 06:47:24 AM #1 Last Edit: September 27, 2023, 06:53:21 AM by Monviech
Is your modem connected via pppoe, or ethernet?
If you want to have help you have to post your basic network structure.

Also just as a tip, if its pppoe it's not going to work seamlessly. Also the failover with it (in my tests) was prone to wonky behavior. The patching of an opnsense takes like 2-3 minutes, in which the reboot maybe takes 1 minute. Only bigger upgrades every half a year take some more time. So you should think about if the usecase is really there. CARP and HA setups are quite complicated.

Here for a basic CARP HA setup: https://docs.opnsense.org/manual/how-tos/carp.html
Hardware:
DEC740
October 06, 2023, 06:05:20 AM #2
Quote from: Monviech on September 27, 2023, 06:47:24 AM
Is your modem connected via pppoe, or ethernet?
If you want to have help you have to post your basic network structure.

Also just as a tip, if its pppoe it's not going to work seamlessly. Also the failover with it (in my tests) was prone to wonky behavior. The patching of an opnsense takes like 2-3 minutes, in which the reboot maybe takes 1 minute. Only bigger upgrades every half a year take some more time. So you should think about if the usecase is really there. CARP and HA setups are quite complicated.

Here for a basic CARP HA setup: https://docs.opnsense.org/manual/how-tos/carp.html
I do get my main public WAN IP through PPPoE, although my ISP (Bell) also allows me to get a second public WAN IP if I don't go through PPPoE but use the modem-router DMZ instead. There is nothing else between the modem-router and my OPNsense box.

Obviously, the whole project is more for fun than anything else, I just happen to have 2 Sophos SG330 units, I kinda like the idea of having the backup unit in case hardware fails on the first unit, so why not setup high availibility. I did read the doc but I couldn't really make any sense of it, I just wish it could somehow be easier but I guess it isn't. I might just end up copying the config to the second unit and turn it off and just turn it on in case the first unit has issues.
October 06, 2023, 06:26:10 AM #3
I'd like to know what you didn't understand in the doc, maybe your troubles can be cleared up easily.

There's 3 parts to HA:
- Creating a CARP Virtual IP for each Subnet
- Connecting a dedicated interface between both firewalls for State Synchronization pfsync (optional)
- Configuration Sync between master and backup. (optional)
Hardware:
DEC740
Print
Go Up Pages1
User actions