other:networking:opnsense:high_availability
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
other:networking:opnsense:high_availability [2021/06/20 01:42] – created rodolico | other:networking:opnsense:high_availability [2021/06/20 02:11] (current) – rodolico | ||
---|---|---|---|
Line 40: | Line 40: | ||
- Save | - Save | ||
- Repeat for all other interfaces (hint, you can clone an interface, then change the Interface, Address, VHID Group and Description). | - Repeat for all other interfaces (hint, you can clone an interface, then change the Interface, Address, VHID Group and Description). | ||
+ | - For each subnet which will be routing through the firewall, do the following. For example, if you have a subnet that only provides resources for other subnets, don't do this. But, for LAN, or anything else that will directly access the 'net. **You are setting outbound to use the CARP interface**: | ||
+ | - Firewall | NAT | outbound | ||
+ | - Change existing rules to use the CARP IP | ||
+ | - Create new rules for any other subnets (hint, clone the LAN, then make the changes needed) | ||
+ | |||
+ | ===== Additional ===== | ||
+ | |||
+ | - Change DHCP server to set the gateway to the Virtual IP | ||
+ | - Change DHCP server to set DNS to correct value (if not using defaults) | ||
+ | |||
+ | ===== Set up sync ===== | ||
+ | |||
+ | - On master router | ||
+ | - System | High Availability | Settings | ||
+ | - Synchronize States: check | ||
+ | - Synchronize Interface: The interface it will communicate on | ||
+ | - Synchronize Peer IP: the IP address of the backup router | ||
+ | - Synchronize Conifig to IP: The same IP (IP of the backup router) | ||
+ | - Remote System Username: A user on the backup router with full admin privileges | ||
+ | - Remote System Password: Password for that user | ||
+ | - Put a check mark in every system you want sync' | ||
+ | - Users and Groups | ||
+ | - Certificates | ||
+ | - Firewall Rules | ||
+ | - Firewall Schedules | ||
+ | - Firewall Categories | ||
+ | - Aliases | ||
+ | - NAT | ||
+ | - DHCPD (well, I want them sync' | ||
+ | - Virtual IP's (you MUST have this) | ||
+ | - Static Router | ||
+ | - OpenVPN, if you're going to use that | ||
+ | - Firewall Groups | ||
+ | - Unbound DNS (again, I want that) | ||
+ | - Click Save | ||
+ | - On backup Router | ||
+ | - System | High Availability | Settings | ||
+ | - Synchronize States: Check | ||
+ | - Interface: Select correct interface | ||
+ | - Synchronize Peer IP: IP of Master router | ||
+ | - Save (Do **not** put any additional information in) | ||
+ | - Reboot both firewalls if you want. Sometimes avoids problems | ||
+ | - On master router | ||
+ | - System | High Availability | Status | ||
+ | - Click the little round thing at the bottom, where it says all(*) | ||
+ | - Wait until it is done | ||
+ | - Log into backup router | ||
+ | - Look and ensure all services/ | ||
+ | |||
+ | ===== Other Information ===== | ||
+ | |||
+ | ==== Do maintenance ==== | ||
+ | One thing you can do with this setup is perform maintenance, | ||
+ | - Update backup router | ||
+ | - Open Primary Router | ||
+ | - Firewall | Virtual IPs | Status | ||
+ | - Click Enter Persistent CARP Maintenance Mode | ||
+ | - Your backup router is now master | ||
+ | - Test everything on the new update. If it all works, update the master router, then turn off the CARP Maintenance Mode | ||
+ | - **Note**: Persistent Mode survives a reboot. You must manually turn it off | ||
+ | |||
+ | ==== Testing ==== | ||
===== Links ===== | ===== Links ===== | ||
* https:// | * https:// |
other/networking/opnsense/high_availability.1624171377.txt.gz · Last modified: 2021/06/20 01:42 by rodolico