Secondary FIrewall

[dragon2611]

Does it cause any issues if the Primary firewall in a HA pair was physical and the secondary was a VM?

Nothing of much importance behind them, just doing Nat for my lab/playground/personal servers environment

[franco]

Works fine. Just make sure the "smaller" firewall can handle the peak of your traffic in case it needs to take over.


Cheers,
Framco

[xupetas]

Works beautifully. I recomend (and i think that the documentation recomends it too) that you have a dedicated interface for CARP.
Another recomendations include, using e1000 virtual cards on the interfaces that you will be using IDS with IPS active (suricata) because the virtio cards have an improper implementation / bug of netmap.
Finally (and i dont know if this a bug on the config or my very wierd configuration type) but on the CARP interfaces, you WILL HAVE TO set rules so the config sync mecanism and the CARP mecanism work.
Again i dont know if this should be done automaticly by opnsense, or if something is screwed on my config.

[dragon2611]

Do you have to install packages you want to config sync on the second firewall or is it smart enough to do that automatically if you try to config sync an optional package.

[franco]

We don't want to rely on automatic package installation. There is still a ticket open to be able to register installed packages in the config.xml for such duties... at least to provide a reinstall button and/or a warning that not all plugins are properly installed.


Cheers,
Franco