Conflicting Virtual IP and DHCP assigned IP on virtual MAC address?

[vlorentz]

Hi,

I have 2 issues with my 2 OPNsense routers.

My configuration: OPNsense 21.1.5-amd64 ; FreeBSD 12.1-RELEASE-p16-HBSD ; OpenSSL 1.1.1k 25 Mar 2021
Cable Internet <--> FritzBox 6590 <--> 2x OPNsense DC690 with High Availability <--> LAN Switches and Devices

My cable ISP does not provide IPv6, therefore I am using HE out of the Fritzbox (i.e., the Fritzbox is establishing the IPv4 native connection, and then the HE IPv6 connection).

The DC690 are getting their IP addresses via DHCP. Each DC690 gets an IPv4 via DHCP and an IPv6 via DHCPv6 from the Fritzbox. These IP addresses (IPv4 and IPv6) are defined as static, so they are always the same after reboot or reconnection.

1. The first issue is about the Virtual IP. The IP of the DC690-1 is 172.18.0.101. The IP of the DC690-2 is 172.18.0.102. The Virtual IP (VIP) corresponding to both DC690 IPs in WAN side is 172.18.0.100. Since the 101 and the 102 are attributed by DHCP by the Fritbox and are always the same (because linked to their MAC address), how should I define properly the VIP, to ensure that it will always be 100?
I have tried to set it up in the Fritzbox in the same way as I do it for the two DC690 (i.e., DHCP uses the virtual MAC address and assigns always the same IP which is 100), but if it works quite fine when both DC690 are physically connected to the Fritzbox, it does not work any more when I remove one of the DC690, since the Fritzbox seems to attribute the 100 IP address to the DHCP WAN interface, and I loose then the internet access (not sure why)! Further, I want the 100 address to be declared as "exposed host" in the Fritzbox, so that all the traffic is routed to this VIP. How can I reach this properly? (I do not want to disable DHCP on the Fritzbox, since it would bring other issues).
Any advice how to do this properly? Maybe there is a conflict between the VIP 100 setup in the OPNsense router and the IP 100 assigned by the Fritzbox to the 00:00:05:00:01:01 virtual MAC address?


2. The second issue is quite strange and existed before I have setup the HA configuration and had any VIP (so please consider here that HA and VIP are disabled or not existing and only one DC690 is in the configuration). When I reboot the OPNsense router, in most of the cases, I am unable to loggin over the GUI anymore after the reboot, if I do not disconnect the WAN side of the router during the reboot (important: only during the reboot, since afterwards it seems to have no more effect). Maybe there is something related to DHCPv4 and/or DHCPv6 or Router Advertisement (RA), all provided by the output of the Fritzbox connected to the OPNsense DEC690? How could I investigate this issue and find out to what it is related?
Strangely, if I forget to disconnect the WAN during the reboot, I still have access to the router via SSH, internet is running, the devices on the LAN all get their addresses and gateway address. Any idea where to look to locate the problem?

Many thanks in advance.

Best regards,
Vincent

[vlorentz]

I seems that there are not many ideas, how to solve my issues...

I made further tries and I am having more and more doubts that the problem has a clean solution.

To summarize: I have 2 OPNsense firewalls (DC690-1 and D690-2). The issue in between these 2 OPNsense firewalls and my Fritzbox (the Fritzbox connects to the internet):

DC690 WAN <--> FritzBox LAN <--> Fritzbox Cable Internet

On the DC690 WAN I have the following:
- DC690-1 WAN IP: 178.18.0.101 (assigned by DHCP by the Fritzbox)
- DC690-2 WAN IP: 178.18.0.102 (assigned by DHCP by the Fritzbox)
- CARP Virtual IP on WAN interface: 178.18.0.254

To access the devices in my LAN fron the outside (Internet), I have configured the option "Exposed Host" on my Fritzbox. Without using High Availability (HA), I set the exposed host to be 178.18.0.101 and everything rocks.

However, when I want HA, I have to configure the Fritzbox so that 178.18.0.254 is an Exposed Host. This makes problems. First, I must set a fixed IP that will be applied by the Fritzbox to the OPNsense firewalls... but since it is a Virtual IP that is actually already defined in the OPNsense firewalls, I could imagine that it makes problems. Sometime the Fritzbox assigns 178.18.0.254 to the DC690-1 WAN, and then I do not have access to the internet anymore.

Could somebody help and give me an idea how to configure this specific part of my network?

Many thanks in advance.
Best regards,
Vincent