Looking for information about the clustering and data replications

[Astaoth]

Hi !

After pushing my little PCEngine to the max use of its poor CPU, I've decided to build an other box from a PC. But, because currently I don't need to put an other firewall anywhere in my LAN and don't like to have hardware rusting in a closet, I though I could instead start to play with the OPNSense HA. However, there are some points I fail to understand :

1. What is the purpose of the PF sync ? Is it only for not breaking the user sessions when the failover starts ?
2. About the interfaces, as far as I understand this, I'll have to create them by hand on each boxes, right ?
3. If yes to the previous question, how does it work with VPN interfaces ? Would I have to also make the assignment by hand ?
4. About the replication, as I understand it, it's only from the main box to the slave box. Does it mean I can have specific rules and configurations on the slave box, and if they are, for example on dedicated interfaces (which don't exist on the main box), they will not be overwritten by the replication ?
5. How does work the setting replications with plugins ? For example, I have a telegraf supervision, FRR configurations, reverse proxy, few VPN (OpenVPN, Wireguard and Ikev2), etc.

The main thing with my new box is that it doesn't have at all the same hardware than the APU : it has less network interfaces, no wifi, and much more power, for running a suricata, zenarmor and other resource hungry services at the full speed of my internet connection.

[spider]

Hi,

I'm no expert, but may be this helps a little.

1. What is the purpose of the PF sync ? Is it only for not breaking the user sessions when the failover starts ?
The pfsync interfaces perform two tasks, to pass the states of the connection to the backup firewall and the transfer the XMLRPC configuration.

2. About the interfaces, as far as I understand this, I'll have to create them by hand on each boxes, right ?
Yes

3. If yes to the previous question, how does it work with VPN interfaces ? Would I have to also make the assignment by hand ?
Don't know

4. About the replication, as I understand it, it's only from the main box to the slave box. Does it mean I can have specific rules and configurations on the slave box, and if they are, for example on dedicated interfaces (which don't exist on the main box), they will not be overwritten by the replication ?
You can choose what is replicated down to a specific firewall rule

5. How does work the setting replications with plugins ? For example, I have a telegraf supervision, FRR configurations, reverse proxy, few VPN (OpenVPN, Wireguard and Ikev2), etc.
WireGuard works fine is there are no keep alive packets on the server side. Make little sense to have keep alive packets on an endpoint without an endpoint address. OpenVPN works just fine too.

If your backup firewall is the APU then there is something special you'll need to do, See the how-tos. https://docs.opnsense.org/manual/hacarp.html and https://docs.opnsense.org/manual/how-tos/carp.html

HTH
-spider