[solved] Routing VIP to VIP (Connect two OPNsense-Cluster over virtual IP)

Started by l.gremme, November 22, 2019, 01:38:05 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 22, 2019, 01:38:05 PM Last Edit: December 04, 2019, 10:11:43 PM by l.gremme
I have a Multi-WAN with two internet connections. The first one is a fibric, connected to the first Switch. The second one is a VDSL. The fabric have some virtual (public) IP-addresses. The OPNsense is working in a Cluster of 2 Nodes. The Cluster is connected in our DMZ-Network and have 1 virtual IP.

We provide a second Cluster for the internal Traffic for our environment. Every network gets a smaller Subnet of 10.0.0.0/8 Network in one VLAN (e.g. 10.1.1.0/24).

I have Routing Problems to connect the second Cluster with the virtual IP 192.168.0.160 to the first Cluster 192.168.0.150. I check the first Cluster with one PC in the DMZ an I have a good connection with one or two pings failed.

I check the second Cluster with the same PC in another Subnet (no blocking everything), I get only one or two pings back from 1.1.1.1 or 8.8.8.8.

Version OPNsense: 19.7.6

If I create in the second Cluster a Gateway-Group with the real IPs of OPNsense in the first Cluster, I will get every response. If I use the virtual IP of the first Cluster, I get one or two responses (10 ICMP-Requests). What is the problem?

Grettings
Lars

Code Select

        WAN                   WAN
         :                     :
         : Ethernet            : VDSL
         :                     :
:               -----------
         :               |  Router  |
         :               ------------
         :                     |
         -----------------------
         |  Switch (redundant) |
         -----------------------
           |                 |
           |                 |
           |                 |       Multi-WAN with Backup
      -----------      -----------
      | OPNsense |-----| OPNSense|
      ----------- HA-1 -----------
           |     CARP        |
  x.x.x.151|  VIP x.x.x.150  | 192.168.0.152/24
           ---------------------
           |       DMZ         |
           ---------------------
           |    CARP         |
  x.x.x.161|  VIP x.x.x.160  | 192.168.0.162
     -----------          -----------
     | OPNsense |---------| OPNSense |
     -----------  HA-2    ------------
         |                   |
         |                   |
         ---------------------
         |  Internal Net VIP |
         ----------------------
December 04, 2019, 10:13:18 PM #1
The problem is the vhid in the virtual ip.
Every Firewall-Cluster have the same vhid in our dmz-vlan. I changed the vhid of one firewall-cluster and it works.
Print
Go Up Pages1
User actions