Build a cluster on top of already highly configured FW

[wstemb]

I did not find answers on this topic, only questions.

It is possible to build a cluster on top of already highly configured and working firewall?

Some interruption are acceptable, but I have not the window for the  "dismantle and rebuild work", at least without a very precise plan and timetable, where Murphy Law is governing our work. 

The first firewall machine is configured and working with native or vlan interfaces and rules, dhcp working on some of them, openvpn, zenarmor, routing (OSPF) and some other functions and plugins I can disable. 

The second firewall machine is identical in hardware and in basic OPNSense post-install settings  to the first working machine.

I have at least one free NIC  and enough free IP addressed on all interfaces, including WAN.

The OPNSense manual I found describe building the cluster from the scratch. I cannot afford this, because I have not a third identical machine to build a cluster and then reconfigure it following the existing firewall configuration in production.

Thanks, Walter

[Monviech (Cedrik)]

I did this and it worked in the end. I did it for both ipv4 and ipv6 connectivity, but I can only recommend it for ipv4 cause the ipv6 is a bit hit and miss when it comes to Router Advertisements working correctly after a failover.

The interruptions will come from setting up the CARP VIPs, because you have to replace the current interface IPs of the firewall, and reconfigure them as VIPs on the master and backup firewalls.

Whenever you add a new CARP VIP, it would trigger a failover, so make sure the backup firewall is in permanent carp maintanance mode and carp is set to disabled.

EDIT: I didnt use openvpn, zenarmor, OSPF. DHCP is a little buggy in failover mode, so I set the DHCP Servers on both firewall on always on with a respond delay on the second firewall.

[wstemb]

Thank you.

I am using now only IPV4, and plan to continue using it alone on cluster, so there will be no issues with IPV6

On a cluster of commercial FWs I had before, I did not use DHCP  in cluster mode. Both FW had enabled DHCP on selected interfaces, similar options, different scopes. The plan was to continue this way.

Zen armor is not a show stopper, it can be temporarily disabled/deinstalled if necessary during reconfiguration. OpenVPN is very important to continue to work for remote users, OSPF also, so here could arise new question.

[Monviech (Cedrik)]

From what I understand, OpenVPN works with the CARP VIP. So if you manage to reuse the same IP you use for it right now as a CARP VIP it should work.

I have tested only IPSEC and Wireguard though. IPSEC works great with the CARP VIP, and Wireguard only if the Tunnel is initiated from outside.

I don't have any knowledge about OSPF, so somebody else has to answer that.

[wstemb]

Work half done.

Installed a second firewall on a identical hardware and upgraded to same firmware version.

Defined all interfaces (I have a lot of them  8, most of them VLANs) ). Had to follow strictly the same order of OPTx names during definitions on the second firewall, if not the HA "Synchronize states" will copy definitions on wrong interfaces.

Defined corresponding CARP VIP-s on both firewalls  for all defined interfaces.

On first tests is seems all (defined) is working, but since the work is not finished and important functions have to be redefined - the most important are OpenVPN servers and OSPF definition, I disabled the second firewall for now, so the cluster is working on one node only.

I had to change the OpenVPN server interface to the cluster one on WAN.