Is is possible to convert this setup to HA?

[Tenn-it]

I currently use Opnsense and have been for over a year. Previously I used Pfsense. The OPnsense setup is a VM and works great.

Currently, the Opnsense VM serves as the internet gateway for our network. It also has two public facing IP addresses. One is the WAN and one is a virtual IP address.

The two public IP addresses are static IP addresses and both have ports forwarded to internal devices.

These are the fictitious addresses:
LAN = 192.168.1.50
WAN=12.345.67/24
WAN2 (virtual IP)= 12.345.68/24

I don't have a third public ip address available.

Currently I have this VM installed on two hosts with identical setups. I can start one and it works, I can then stop it and start the other and it works. I just want to have it so that if one dies, the other will take over and vice versa.

Is that possible?

Thanks!

[Patrick M. Hausen]

You need three addresses on each network - one static for each firewall, plus a floating one for CARP.

[Tenn-it]

Thanks!

[fdylan]

This is actually possible with some delay on WAN being down with a CARP script, put this on both the backup and master and it triggers on every CARP event. If it's MASTER it brings up the WAN interface, if it's BACKUP then it downs the WAN interface. This lets you share MAC addresses on the WAN interface, and if the CARP master is swapped it gets you back up with a short delay, <5sec, which isn't perfect HA like if you had 3 VIPs but it should be better than manually switching :)
Change opt4 to your WAN interface name, make sure if it's different on backup/master you name it appropriately

Code Select Expand

/usr/local/etc/rc.syshook.d/carp/50-DHCP ->
if this code doesn't work you can find it in the pastebin https://pastebin.com/1YRPPdpe

#!/usr/local/bin/php
<?php
require_once("config.inc");
require_once("interfaces.inc");
require_once("util.inc");
$subsystem = !empty($argv[1]) ? $argv[1] : '';
$type = !empty($argv[2]) ? $argv[2] : '';
if ($type != 'MASTER' && $type != 'BACKUP') {
    log_error("Carp '$type' event unknown from source '{$subsystem}'");
    exit(1);
}
if (!strstr($subsystem, '@')) {
    log_error("Carp '$type' event triggered from wrong source '{$subsystem}'");
    exit(1);
}
foreach($config['interfaces'] as $ifkey => $interface) {
    if ($ifkey=='opt4') {
        if ($type == 'MASTER') {
            log_msg("Carp Status is now Master!");
            log_msg("Enabling interface: $ifkey - {$interface['if']}");
            shell_exec("/sbin/ifconfig {$interface['if']} up");
            $config['interfaces'][$ifkey]['enable'] = '1';
            write_config("enable interface '$ifkey' due CARP event '$type'", false);
            interface_configure(false, $ifkey, false, false);
            sleep(1);
            log_msg("Restarting DHCPD");
            shell_exec('pluginctl -s dhcpd restart');
            sleep(1);
            log_msg("Issueing dhclient command to request a DHCP lease");
            shell_exec("dhclient {$interface['if']}");
        } else if ($type == 'BACKUP') {
            log_msg("Carp Status is now Backup!");
            log_msg("Disabling interface: $ifkey - {$interface['if']}");
            shell_exec("/sbin/ifconfig {$interface['if']} down");
            unset($config['interfaces'][$ifkey]['enable']);
            write_config("disable interface '$ifkey' due CARP event '$type'", false);
            interface_configure(false, $ifkey, false, false);
            log_msg("Stopping DHCPD");
            shell_exec('pluginctl -s dhcpd stop');
        }
    }
}

[Tenn-it]

Thanks so much!!
I know this is a dumb question but if I don't use DHCPD?