Upgrade OPNsense HA cluster remotely

Started by Elia99, July 18, 2024, 09:57:24 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 18, 2024, 09:57:24 AM
Hello, is there a way to upgrade an OPNSense HA cluster remotely? I haven't find much for this topic in the forum
July 18, 2024, 10:22:01 AM #1
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 18, 2024, 10:47:18 AM #2
Thanks Patrick, I have already read the manual section about carp upgrade. For me, it isn't very clear, let's take the first step:

QuoteUpdate your secondary unit and wait until it is online again

How can I update the secondary unit, if it has a gateway which is marked as "offline"?
Currently I have the primary node which is the master, everything is running nice and smoothly, but secondary unit gateway is marked as "offline" and upgrade from GUI or CLI isn't working, so I can't follow those steps to upgrade remotely.

Any hint?
July 18, 2024, 10:50:04 AM #3
In all my HA setups both units have a valid and working gateway. Each unit needs its own IP address on WAN of course. So I guess you should start with investigating and fixing that problem.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 18, 2024, 11:14:04 AM #4
Thank you very much! This info is crucial, I'll try to investigate and fix it, thanks again Patrick.
July 18, 2024, 12:44:25 PM #5
Patrick, could you tell me how do you make both gateway working and online on your setups?

I followed this guide to configure CARP and HA:

https://docs.opnsense.org/manual/how-tos/carp.html#
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-ha-on-opnsense

But all the times I create an HA cluster, in the end I have primary node (master) with online and working gateway and secondary node (slave) with offline and not working gateway.
July 18, 2024, 12:48:17 PM #6
How exactly does your Internet uplink work? You need at least a /29 from your ISP for "proper" HA (with IPv4).
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 18, 2024, 01:27:19 PM #7
Yes, I have a x.x.x.x/29 public subnet, both firewalls have a fixed public IP on their corresponding WAN interfaces, then there is a WAN Virtual IP configured.

I linked some screenshots about it:

https://postimg.cc/gallery/NBbgBNf

I really don't know what to check, I'm struggling here.
July 18, 2024, 01:36:06 PM #8
1. Why are you setting a monitor IP?
2. Your NAT rule tries to NAT all outbound traffic including everything from the firewall itself.

Change the NAT rule from

Source: *

to

Source: an alias that sums up all your internal networks

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 18, 2024, 03:45:01 PM #9
Quote from: Patrick M. Hausen on July 18, 2024, 01:36:06 PM
1. Why are you setting a monitor IP?
2. Your NAT rule tries to NAT all outbound traffic including everything from the firewall itself.

Change the NAT rule from

Source: *

to

Source: an alias that sums up all your internal networks

HTH,
Patrick

It works! Thank you so much Patrick, you made my day!
Print
Go Up Pages1
User actions