Opnsense HA - Master loses connection to slave

[volrath87]

Hello,

i ve setup HA between 2 Firewalls on Interface1. FW01 and FW02 are connected directly via CrossOverCable.

ofc i ve configured rules on interface1 which allows traffic from fw01 to fw02 and vice versa.

The problem is after synchronisation the rule on fw02 (slave) dissappears and master (fw01) is not able to process any further syncronisation (because it is copied from master). I also tried to put the rule on master but it didn't help. I guess opnsense first removes the rule from slave and after then it is not able to synchronize anything.

How do you manage this?

BR

[lshantz]

I don't quite get what is happening, but perhaps you could flesh out the problem a little more? Even screen shots. Are you able to see got to System/Hi availability/status and see the data there? What do you see in the Dashboard etc.

[volrath87]

ok let me describe it in another way

FW02 (slave) has a rule which allows traffic from FW01 on the "Synchronize Interface". Without that rule everything from FW01 is denied (default)

When FW01 synchronizes configurations to FW02 (System -> HA -> Settings -> Perform synchronization) that rule is removed and then connection between FW01 and FW02 is down.

I ve to say that i didn't setup carp for now. Maybe this is the issue?

[volrath87]

Maybe there is a problem matching the interfaces of FW01 and FW02 ?

How does the synchronisation map firewall rules/interfaces from FW01 to the correct corresponding interface on FW02 ? By name? Or is there a mapping table?

[lshantz]

So we are talking the PFSYNC interface correct? I wonder if somehow the sync is causing the IP to be the same instead of .1 and .2. WAG at this poitnt

[volrath87]

After setting up CARP VIP the synchronisation works.

Thanks for your feedback