Question about CARP configuration

Started by danbet, December 11, 2023, 11:25:09 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 11, 2023, 11:25:09 AM
Here https://docs.opnsense.org/manual/how-tos/carp.html#setup-interfaces-basic-firewall-rules are some text that I don't understand:
Because we're connecting both firewalls using a direct cable connection, we will add a single rule to accept all traffic on all protocols for that specific interface. Another option is to only accept traffic to the GUI port and pfSync protocol.

What does this "single rule" refer to? In this case, is there no need for a rule on the WAN and LAN, but just this one? However, it's not clear to me what this one should look like.

Does the LAN interface even need a rule that allows CARP? By default it already has one that allows all traffic into the LAN.

Please explain in more detail what these rules should be.
December 27, 2023, 05:53:58 AM #1
Quote from: danbet on December 11, 2023, 11:25:09 AM
Here https://docs.opnsense.org/manual/how-tos/carp.html#setup-interfaces-basic-firewall-rules are some text that I don't understand:
Because we're connecting both firewalls using a direct cable connection, we will add a single rule to accept all traffic on all protocols for that specific interface. Another option is to only accept traffic to the GUI port and pfSync protocol.

What does this "single rule" refer to? In this case, is there no need for a rule on the WAN and LAN, but just this one? However, it's not clear to me what this one should look like.

Does the LAN interface even need a rule that allows CARP? By default it already has one that allows all traffic into the LAN.

Please explain in more detail what these rules should be.

The interface used for pfsync needs a rule to allow traffic between the two firewalls. So this rule would go under Firewall --> Rules --> PFSYNC (or whatever you named your pfsync interface)

   Protocol    Source            Port    Destination    Port    Gateway    Schedule       Description    
    IPv4 *      PFSYNC net    *            PFSYNC net    *             *                    *       

The recommendation is to just have it allow everything like below. If you want to harden things up you can modify if after you have everything up and running and see if everything still works.

   Protocol    Source            Port    Destination    Port    Gateway    Schedule       Description    
    IPv4 *      *                       *            *                   *             *                    *       

I am not sure if you need to explicitly define rules for CARP on the other interfaces. I will try some things and report back.
Print
Go Up Pages1
User actions