Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
High availability
»
HA: with one WAN address possible
« previous
next »
Print
Pages: [
1
]
Author
Topic: HA: with one WAN address possible (Read 1930 times)
grefabu
Newbie
Posts: 14
Karma: 0
HA: with one WAN address possible
«
on:
November 28, 2022, 04:23:00 pm »
Hi,
I wonder if HA is possible with one WAN IP address.
For normal knowledge the additional IPs for WAN are necessary for get access from the specified opnsense to the Internet/repositorys.
When it is possible, that the main opnsense is the repository for the slave there is no need for 've an IP address on both opnsense?
The advantage is, when you have less static IP adresses.
Is there an solution for that?
I know it from other firewalls as sophos UTM SG.
Bye
Gregor
Logged
WaffleIron
Newbie
Posts: 17
Karma: 3
Re: HA: with one WAN address possible
«
Reply #1 on:
December 28, 2022, 01:31:13 am »
Hi Grefabu,
Your question isn't necessarily about HA but rather CARP. CARP is essentially the FreeBSD version of VRRP/HSRP and all of these protocols require three IP addresses to be used. The unique IP assigned to each device is used to send keepalives to the other and negotiate who the master of the CARP VIP should be. Specifically, each device will use their unique IP to send out a multicast message (224.0.0.18) with CARP related information (priority/skew, VIP, etc) and each box negotiates from there.
To do what you are asking, the opnsense team would need to completely reconfigure how HA works for the platform. I'm not familiar with how Sophos works but to relate it to other...larger companies...HA would need to be re-tooled to function more like VSS/VPC where both boxes act logically as one unit instead of one box doing a "config sync" to the other.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
High availability
»
HA: with one WAN address possible