Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
High availability
»
Sync states without carp
« previous
next »
Print
Pages: [
1
]
Author
Topic: Sync states without carp (Read 3151 times)
prokocool69
Newbie
Posts: 7
Karma: 0
Sync states without carp
«
on:
December 20, 2023, 11:26:07 am »
Hello! Could you please help. I've two opnsense firewalls in HA pair. But i don't use a carp technology, only dynamic routing. Should states are synced in that configuration? On this moment it's not.
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1630
Karma: 178
Re: Sync states without carp
«
Reply #1 on:
December 20, 2023, 11:34:33 am »
States aren't synched with the CARP protocol, they are synced with pfsync protocol.
https://man.freebsd.org/cgi/man.cgi?pfsync%284%29
System: High Availability: Settings
Best use a dedicated interface as Synchronize interface between both firewalls, since there is high multicast traffic. Leave the "Synchronize Peer IP" empty. You have to create a Firewall rule that allows pfsync protocoll on both firewalls on the interface thats the Synchronize interface.
Please note that both firewalls need to have the exact same interfaces and the exact same interface names.
After you have configured pfsync on OPNsense, you can see what it's doing by "tcpdump -i pfsync" and also looking at the state table in both firewalls.
«
Last Edit: December 20, 2023, 11:37:59 am by Monviech
»
Logged
Hardware:
DEC740
prokocool69
Newbie
Posts: 7
Karma: 0
Re: Sync states without carp
«
Reply #2 on:
December 20, 2023, 11:40:31 am »
thank you for your reply. I've dedicated interface between two firewalls and i've create a pass rule for this interface, but states doesn't synced? What could be the problem?
Logged
prokocool69
Newbie
Posts: 7
Karma: 0
Re: Sync states without carp
«
Reply #3 on:
December 20, 2023, 11:45:00 am »
"Please note that both firewalls need to have the exact same interfaces and the exact same interface names." I think this is the problem, I have different interface names.
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1630
Karma: 178
Re: Sync states without carp
«
Reply #4 on:
December 20, 2023, 01:00:27 pm »
Yeah if both firewalls interfaces arent literally the same names and the same configuration + same network drivers, don't use statesync. It will break states and won't work.
Logged
Hardware:
DEC740
prokocool69
Newbie
Posts: 7
Karma: 0
Re: Sync states without carp
«
Reply #5 on:
December 27, 2023, 06:35:39 am »
I've done all interfaces similar on both firewalls. But pfsync still doesn't work. tcpdump -i pfsync0 on both firewalls doesn't show any traffic. What could be the problem?
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: Sync states without carp
«
Reply #6 on:
December 27, 2023, 07:23:23 am »
Screenshots of HA settings and fw rules please
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
prokocool69
Newbie
Posts: 7
Karma: 0
Re: Sync states without carp
«
Reply #7 on:
December 27, 2023, 07:50:33 am »
FW rules on sync interface
Logged
prokocool69
Newbie
Posts: 7
Karma: 0
Re: Sync states without carp
«
Reply #8 on:
December 27, 2023, 07:50:55 am »
HA settings
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: Sync states without carp
«
Reply #9 on:
December 27, 2023, 08:12:54 am »
Can you try to point the Failover IPs of the other firewall instead of the multicast address?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
prokocool69
Newbie
Posts: 7
Karma: 0
Re: Sync states without carp
«
Reply #10 on:
December 27, 2023, 08:13:29 am »
i've rebooted one firewall and pfsync now works fine. Thank you for your support)
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
High availability
»
Sync states without carp