[SOLVED] Migrate from PFsense to OPNsense

[franco]

Very odd, does removing another CARP membership help?

[shade73]

What do you mean with "removing another CARP memebership" ?

[shade73]

Is this correct?

If I on the primary firewall click on "System / HA / Status" it shows:

Backup firewall versions
Firmware   Base   Kernel
16.7.r2-792f54c76   16.7.r-amd64   16.7.r-amd64

and so on.

If I do the same on the backup firewall, click on "System / HA / status" it shows:

The backup firewall is not accessible or not configured.

Is that right? Shouldnt it show that it is in a realtionship with the primary firewall?

[franco]

What do you mean with "removing another CARP memebership" ?

It would be helpful to see whether this is a problem of multiple CARP setups interacting in a bad way (in our code), so reducing the CARP to the bad WAN scenario could give hints. I don't expect it to magically start working, but right now we don't know.

The backup not being configured I don't know. There are some people here using HA extensively, maybe they can shed a light. And Ad is our expert on HA. I cannot be of too much help.


Cheers,
Franco

[Julien]

Hi Guys,
I am more interested in migrating the OPENVPN users and certificate.
Firewall rules can reconfigure them.
I have backed up the openvpn configuration and upload it to a new OPNsense, unfortunately the users and certificate did not  shows up even after couple of reboot.
Am I supposed to do something after import is successfully ?

[shade73]

I am more interested in migrating the OPENVPN users and certificate.

I had to drop the certificates, pfsense and opnsense seem to have moved to far away from each other.

[shade73]

The backup not being configured I don't know. There are some people here using HA extensively, maybe they can shed a light. And Ad is our expert on HA. I cannot be of too much help.

Do you have a step for step guide to setting up carp/HA on OPNsense? I'm thinking on the small differences there where on the openvpn setup from pfsense to opnsense, if there is some differences here too.

[franco]

Here you go: https://docs.opnsense.org/manual/how-tos/carp.html

[shade73]

Cant find anything off, no errors that stand out.

Do you think this will help me? https://www.deciso.com/business-support/ (as in they can solve the problem)

[franco]

I think so, yes. :)

[franco]

Could it be this? https://github.com/opnsense/core/issues/1100

[shade73]

No, it was not related to that in fact I had no errors in the HA setup.

I created business support ticket, and got help from Deciso. It was a good experience, very friendly and knowledgeable people. Jos helped me and found the cause quickly.

It turns out that our internet router with dual business connection, does not allow/accept the carp traffic between the 2 wan interfaces. Therefore can the secoundary OPNsense box not see that the primary WAN interface is up and thinks it is down and then puts its own as master and ends up with 2 masters on the WAN.

We have "injected" a switch between the OPNsense boxes and the internet router, and now it works just fine with failover and everything.

[Wayne Train]

Hi,

I'm experiencing a similar issue. My backup-node shows:

"The backup firewall is not accessible or not configured."

While the master-node shows details about the backup-node. I always thought, that it's right like that, since the backup-node has no other backup-node and the config is always synced only from the master-node to the backup node. Or am I wrong?

By activating the OPNsense "help" on the HA-Config page it shows

"Do not use the Synchronize Config to IP and password option on backup cluster members!"

...so I assume the error message that the backup firewall is not accessible or configured is confusing, but not wrong? Right?

It would really be great if someone could clarify this issue.

Thanks in advance
CS