How to setup different VPNs on master/backup with Sync enabled?

[ns]

Hello,

I've the following situation:

* two firewalls
* in total one incoming wireguard VPN endpoint that is bound to carp
* one outgoing wireguard VPN *per* device that should always be up, if the machine is running

The problem is that with HA sync, by default all wireguard VPNs are up on the primary machine:

- fw1: incoming, outgoing1, outgoing2
- fw2: -

I then thought, ok I can try to have ONE carp address on fw2 that is the MASTER by default instead of fw1. However, it seems that the HA-Sync always modifies the advskew so that the secondary firewall is slower. Even setting it to 254 on the master only sets it to 254 on the backup.

Then I thought maybe I can create a binding to an IP alias on each machine, however wireguard does not support that.

In the end, what I want to have is:

- fw1: outgoing1
- fw2: outgoing2
- active/master/primary fw: incoming

How do I achieve this with opnsense?

[Monviech (Cedrik)]

I mean you could deactivate the xmlrpc sync section for wireguard and configure them manually on both firewalls from then on.

System: High Availability: Settings - Uncheck Wireguard

Also you can't mix CARP master and backup on both firewalls, one will always try to get all master or all backup. Having it mixed will result in pain.