Unix Server Tech Knowledge Base

User Tools

Site Tools

Trace: High Availability in opnSense
other:networking:opnsense:high_availability

This is an old revision of the document!

Table of Contents

High Availability in opnSense

This is just notes on how we built one. Both of our routers are virtuals, running under the KVM hypervisor. That allowed a bunch of shortcuts, such as defining vlans at the hypervisor levels and replicating a running router for the second one. We used two separate machines; the hypervisor was mainly so we could put some additional low resource virtuals on the same physical machine.

We'll need one share IP for each interface, so one IP for each router, and one shared one, so a total of 3 IP's set aside for the set.

Initial

  1. Define network bridges to be used by the router, one per vlan to be used
  2. Create one router (hint, tell the hypervisor to use the FreeBSD predefined)
    1. Don't need much disk space; 10G appears to be just fine
    2. In our machine, we did not have AES, so we increased processors to 4 and RAM to 8G
  3. Do standard install, defining the network interfaces, etc…
  4. Shut down virtual (router)
  5. replicate configuration and storage to second machine
    1. Reconfigure name
    2. Reconfigure MAC addresses for virtual
  6. Bring up second machine (first one still down). Connect and change name and IP's on all interfaces
  7. Bring up first machine

You should now have two virtually identical installations, with only the name, IP's and MAC addresses different.

Configure HA

I did NOT set up as recommended with an additional interface only for CARP. Instead, I used the LAN interface for that.

  1. Verify LAN interface accepts CARP. By default, it is set to accept all traffic from the LAN, but make sure this is the case (see Firewall | Rules | LAN)
  2. On the primary router
    1. Interfaces | Virtual IPs | Settings
      1. Add
      2. Mode: CARP
      3. Interface: Choose one of the interfaces
      4. Address: the shared IP address for that interface
      5. Virtual IP Password: Choose a random password
      6. VHID Group: push button for Select and unassigned VHID
      7. Advertising Frequency:
        1. Base: 1
        2. Skew: 0
      8. Description: make it simple. I use VIP “interface name”, ie VIP WAN or VIP LAN. The VIP is for Virtual IP.
      9. Save
      10. Repeat for all other interfaces (hint, you can clone an interface, then change the Interface, Address, VHID Group and Description).
other/networking/opnsense/high_availability.1624171377.txt.gz · Last modified: 2021/06/20 01:42 by rodolico