HA setup with no WAN CARP IP

[klosz007]

Hi,

I would like to set up HA config at home but I have only one static public IP which is assigned by bradband modem by DHCP to specific MAC address (currently used by my one and only OPNsense instance - it owns this public IP).
All other devices connected to broadband modem (currently none) receive CG-NAT IPs.

I need to have some redundancy. OPNsense runs as ESX VM and whenever I shut this ESX host I have no Internet at home - wife screams, children cry (or vice versa) etc. :-)

I have second ESX host but I have no shared storage to easily and quickly move OPNsense VM to this second ESX host if I need a 'maintenance window'. But I could utilize an OPNsense HA cluster with nodes running as VMs on both ESX hosts.

I know it is not a recommended config not to have WAN CARP IP and to use just two different WAN IPs on both nodes (moreover - public and CGNAT).


Besides obvious limitations such as services running on public IP (VPN, HAProxy, etc.) will not be accessible if primary instance is down, will there be any impact or malfunction/limitation because of such config ?



Another option to condsider is to have another physical router doing just NAT, nothing else, then WAN interfaces of OPNsense HA cluster + CARP IP would be private NAT IPs. WAN CARP IP would be configured as DMZ host then. It will effectively become non-elegant dual-NAT config. But that costs another device to maintain and another SPOF. Such router would have to be fast (I have 1000MBit broadband downlink) hence expensive and power hungry.

Thanks for any advice.

[phoenix]

A quick search of the internet throws up a few descriptions of HA OPNsense in a virtual environment. Here's one for starters: https://cg-e.net/opnsense-high-availability-setup-configuration-in-kvm-virtual-machine/

[klosz007]

Thanks. But that's not what I'm looking for...

I have already set up HA on VMs at my colleagues's small company so I knoew how to do it :-)
Now I want to replicate this setup at home.

Problem is he has /29 (.248) subnet of static public IPs to use. 5 usable IPs =2 to be used as OPNsense WAN IPs and 3 more that are used as CARP IPs.

At home I have only one public IP that is obtained via DHCP.

What will be limitations of HA setup with one instance having public WAN IP, one having CGNAT WAN IP and no WAN CARP IP ?

[crlt]

I have setup CARP with a single WAN IP address that is assigned via DHCP. The way I did it was to place an intermediate "router" between my OPNsense firewall and the ISP ONT. This intermediate router takes the public WAN and then creates a private range where you can have as many IP addresses as you want. So my OPNsense firewalls see 192.168.1.251 (FW1),192.168.1.252 (FW2), and 192.168.1.1 (CARP) as the three "WAN" IP addresses.

Even though it is technically a double NAT, it does not have the challenges of a traditional double NAT because the intermediate router is setup to port forward all incoming traffic on the real WAN to the CARP WAN 192.168.1.1 address.

I realize it is impractical to put another "router" in between the ONT and OPNsense firewall but I used EdgeRouter ER-X which is tiny and very low on power draw. Mikrotik also has similar small devices in their range, such as the Hex. Just make sure you get something with RouterOS and not SwitchOS.

It does add another point of failure in the chain but I run Multi-WAN to negate that. Even if you didn't have the intermediate router the ISP ONT/modem would still be a single point of failure.

This is the best way I could think of doing it and based on my experiences to date, I would recommend it.