other:networking:opnsense:high_availability
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
| other:networking:opnsense:high_availability [2021/06/20 01:42] – created rodolico | other:networking:opnsense:high_availability [2021/06/20 02:11] (current) – rodolico | ||
|---|---|---|---|
| Line 40: | Line 40: | ||
| - Save | - Save | ||
| - Repeat for all other interfaces (hint, you can clone an interface, then change the Interface, Address, VHID Group and Description). | - Repeat for all other interfaces (hint, you can clone an interface, then change the Interface, Address, VHID Group and Description). | ||
| + | - For each subnet which will be routing through the firewall, do the following. For example, if you have a subnet that only provides resources for other subnets, don't do this. But, for LAN, or anything else that will directly access the 'net. **You are setting outbound to use the CARP interface**: | ||
| + | - Firewall | NAT | outbound | ||
| + | - Change existing rules to use the CARP IP | ||
| + | - Create new rules for any other subnets (hint, clone the LAN, then make the changes needed) | ||
| + | |||
| + | ===== Additional ===== | ||
| + | |||
| + | - Change DHCP server to set the gateway to the Virtual IP | ||
| + | - Change DHCP server to set DNS to correct value (if not using defaults) | ||
| + | |||
| + | ===== Set up sync ===== | ||
| + | |||
| + | - On master router | ||
| + | - System | High Availability | Settings | ||
| + | - Synchronize States: check | ||
| + | - Synchronize Interface: The interface it will communicate on | ||
| + | - Synchronize Peer IP: the IP address of the backup router | ||
| + | - Synchronize Conifig to IP: The same IP (IP of the backup router) | ||
| + | - Remote System Username: A user on the backup router with full admin privileges | ||
| + | - Remote System Password: Password for that user | ||
| + | - Put a check mark in every system you want sync' | ||
| + | - Users and Groups | ||
| + | - Certificates | ||
| + | - Firewall Rules | ||
| + | - Firewall Schedules | ||
| + | - Firewall Categories | ||
| + | - Aliases | ||
| + | - NAT | ||
| + | - DHCPD (well, I want them sync' | ||
| + | - Virtual IP's (you MUST have this) | ||
| + | - Static Router | ||
| + | - OpenVPN, if you're going to use that | ||
| + | - Firewall Groups | ||
| + | - Unbound DNS (again, I want that) | ||
| + | - Click Save | ||
| + | - On backup Router | ||
| + | - System | High Availability | Settings | ||
| + | - Synchronize States: Check | ||
| + | - Interface: Select correct interface | ||
| + | - Synchronize Peer IP: IP of Master router | ||
| + | - Save (Do **not** put any additional information in) | ||
| + | - Reboot both firewalls if you want. Sometimes avoids problems | ||
| + | - On master router | ||
| + | - System | High Availability | Status | ||
| + | - Click the little round thing at the bottom, where it says all(*) | ||
| + | - Wait until it is done | ||
| + | - Log into backup router | ||
| + | - Look and ensure all services/ | ||
| + | |||
| + | ===== Other Information ===== | ||
| + | |||
| + | ==== Do maintenance ==== | ||
| + | One thing you can do with this setup is perform maintenance, | ||
| + | - Update backup router | ||
| + | - Open Primary Router | ||
| + | - Firewall | Virtual IPs | Status | ||
| + | - Click Enter Persistent CARP Maintenance Mode | ||
| + | - Your backup router is now master | ||
| + | - Test everything on the new update. If it all works, update the master router, then turn off the CARP Maintenance Mode | ||
| + | - **Note**: Persistent Mode survives a reboot. You must manually turn it off | ||
| + | |||
| + | ==== Testing ==== | ||
| ===== Links ===== | ===== Links ===== | ||
| * https:// | * https:// | ||
other/networking/opnsense/high_availability.1624171377.txt.gz · Last modified: 2021/06/20 01:42 by rodolico