Sync states without carp

Started by prokocool69, December 20, 2023, 11:26:07 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 20, 2023, 11:26:07 AM
Hello! Could you please help. I've two opnsense firewalls in HA pair. But i don't use a carp technology, only dynamic routing. Should states are synced in that configuration? On this moment it's not.
December 20, 2023, 11:34:33 AM #1 Last Edit: December 20, 2023, 11:37:59 AM by Monviech
States aren't synched with the CARP protocol, they are synced with pfsync protocol.

https://man.freebsd.org/cgi/man.cgi?pfsync%284%29

System: High Availability: Settings
Best use a dedicated interface as Synchronize interface between both firewalls, since there is high multicast traffic. Leave the "Synchronize Peer IP" empty. You have to create a Firewall rule that allows pfsync protocoll on both firewalls on the interface thats the Synchronize interface.

Please note that both firewalls need to have the exact same interfaces and the exact same interface names.

After you have configured pfsync on OPNsense, you can see what it's doing by "tcpdump -i pfsync" and also looking at the state table in both firewalls.
Hardware:
DEC740
December 20, 2023, 11:40:31 AM #2
thank you for your reply. I've dedicated interface between two firewalls and i've create a pass rule for this interface, but states doesn't synced? What could be the problem?
December 20, 2023, 11:45:00 AM #3
"Please note that both firewalls need to have the exact same interfaces and the exact same interface names." I think this is the problem, I have different interface names.
December 20, 2023, 01:00:27 PM #4
Yeah if both firewalls interfaces arent literally the same names and the same configuration + same network drivers, don't use statesync. It will break states and won't work.
Hardware:
DEC740
December 27, 2023, 06:35:39 AM #5
I've done all interfaces similar on both firewalls. But pfsync still doesn't work. tcpdump -i pfsync0  on both firewalls doesn't show any traffic. What could be the problem?
December 27, 2023, 07:23:23 AM #6
Screenshots of HA settings and fw rules please
December 27, 2023, 07:50:33 AM #7
FW rules on sync interface
December 27, 2023, 07:50:55 AM #8
HA settings
December 27, 2023, 08:12:54 AM #9
Can you try to point the Failover IPs of the other firewall instead of the multicast address?
December 27, 2023, 08:13:29 AM #10
i've rebooted one firewall  and pfsync now works fine. Thank you for your support)
Print
Go Up Pages1
User actions