Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Build a cluster on top of already highly configured FW
« previous
next »
Print
Pages: [
1
]
Author
Topic: Build a cluster on top of already highly configured FW (Read 980 times)
wstemb
Newbie
Posts: 32
Karma: 1
Build a cluster on top of already highly configured FW
«
on:
May 19, 2023, 10:28:30 am »
I did not find answers on this topic, only questions.
It is possible to build a cluster on top of already highly configured and working firewall?
Some interruption are acceptable, but I have not the window for the "dismantle and rebuild work", at least without a very precise plan and timetable, where Murphy Law is governing our work.
The first firewall machine is configured and working with native or vlan interfaces and rules, dhcp working on some of them, openvpn, zenarmor, routing (OSPF) and some other functions and plugins I can disable.
The second firewall machine is identical in hardware and in basic OPNSense post-install settings to the first working machine.
I have at least one free NIC and enough free IP addressed on all interfaces, including WAN.
The OPNSense manual I found describe building the cluster from the scratch. I cannot afford this, because I have not a third identical machine to build a cluster and then reconfigure it following the existing firewall configuration in production.
Thanks, Walter
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1593
Karma: 176
Re: Build a cluster on top of already highly configured FW
«
Reply #1 on:
May 19, 2023, 10:55:29 am »
I did this and it worked in the end. I did it for both ipv4 and ipv6 connectivity, but I can only recommend it for ipv4 cause the ipv6 is a bit hit and miss when it comes to Router Advertisements working correctly after a failover.
The interruptions will come from setting up the CARP VIPs, because you have to replace the current interface IPs of the firewall, and reconfigure them as VIPs on the master and backup firewalls.
Whenever you add a new CARP VIP, it would trigger a failover, so make sure the backup firewall is in permanent carp maintanance mode and carp is set to disabled.
EDIT: I didnt use openvpn, zenarmor, OSPF. DHCP is a little buggy in failover mode, so I set the DHCP Servers on both firewall on always on with a respond delay on the second firewall.
«
Last Edit: May 19, 2023, 10:57:49 am by Monviech
»
Logged
Hardware:
DEC740
wstemb
Newbie
Posts: 32
Karma: 1
Re: Build a cluster on top of already highly configured FW
«
Reply #2 on:
May 19, 2023, 11:21:01 am »
Thank you.
I am using now only IPV4, and plan to continue using it alone on cluster, so there will be no issues with IPV6
On a cluster of commercial FWs I had before, I did not use DHCP in cluster mode. Both FW had enabled DHCP on selected interfaces, similar options, different scopes. The plan was to continue this way.
Zen armor is not a show stopper, it can be temporarily disabled/deinstalled if necessary during reconfiguration. OpenVPN is very important to continue to work for remote users, OSPF also, so here could arise new question.
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1593
Karma: 176
Re: Build a cluster on top of already highly configured FW
«
Reply #3 on:
May 19, 2023, 11:37:19 am »
From what I understand, OpenVPN works with the CARP VIP. So if you manage to reuse the same IP you use for it right now as a CARP VIP it should work.
I have tested only IPSEC and Wireguard though. IPSEC works great with the CARP VIP, and Wireguard only if the Tunnel is initiated from outside.
I don't have any knowledge about OSPF, so somebody else has to answer that.
Logged
Hardware:
DEC740
wstemb
Newbie
Posts: 32
Karma: 1
Re: Build a cluster on top of already highly configured FW
«
Reply #4 on:
June 05, 2023, 03:47:29 pm »
Work half done.
Installed a second firewall on a identical hardware and upgraded to same firmware version.
Defined all interfaces (I have a lot of them 8, most of them VLANs) ). Had to follow strictly the same order of OPTx names during definitions on the second firewall, if not the HA "Synchronize states" will copy definitions on wrong interfaces.
Defined corresponding CARP VIP-s on both firewalls for all defined interfaces.
On first tests is seems all (defined) is working, but since the work is not finished and important functions have to be redefined - the most important are OpenVPN servers and OSPF definition, I disabled the second firewall for now, so the cluster is working on one node only.
I had to change the OpenVPN server interface to the cluster one on WAN.
«
Last Edit: June 05, 2023, 04:06:11 pm by wstemb
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Build a cluster on top of already highly configured FW