High availability

[peksi]

Just joined the forum as I am seriously considering OpnSense as my next routing firewall solution. I've used Linux with iptables (fwbuilder GUI), routes and openvpn with LDAP backend since pre 2000 and it has worked like a rock.

I would like to install my next firewall as a virtual guest keeping another instance as hot standby in another host. Is that possible to do? Do you think it is a smart thing to do that way? I've seen large organizations do that with their Sophos etc.

What technologies in OpnSense would you consider the most solid and best suitable for production use?

[bartjsmit]

OPNsense has its own HA: https://docs.opnsense.org/manual/hacarp.html and there are options for virtual machines in general. VMware and Microsoft offer hardware failover but that's based on at least two physical machines with shared storage and has licence costs.

You need to consider what you're guarding against. If it is a configuration change, you don't need to do anything; OPNsense keeps older configurations and you can simply go back to a date when things worked from the console. If it is off-site backup, you can upload your config to Google drive out of the box. You will need to take into account that restoring a backup involves a clean build with import of your last config. You can meet a shorter RTO if you take regular clones of your VM; like ghettovcb for ESXi.

Bart...

[peksi]

Looks promising. Does it have any fencing?

[bartjsmit]

I'm not aware of any. CARP doesn't mandate it

[peksi]

Maybe it is solved in some other way. I have no experience in CARP but there must be some system that can handle a defunct virtual server to kill it and let secondary node take over?

With HA one problem (at least mine) is when a defunct service gets so badly stuck it won't shut down and keeps the IP / resource occupied. That's where the fencing comes in and kills the system to make way for backup node to become active. With virtual guests I need to run a daemon with the hosts that can be called to kill zombie guests.

[bartjsmit]

I've only used CARP in a sandbox. It uses virtual IP's and heartbeat, but as you say, a node could get to a state where it still heartbeats but doesn't route.

[peksi]

There exists technologies to kill a nonresponsive virtual guest such as fence_kvm. Maybe that would be a development idea.

[bartjsmit]

The best place for feature requests is github https://github.com/opnsense/core/blob/master/CONTRIBUTING.md

Bart...