Differences

This shows you the differences between two versions of the page.

--- other:networking:opnsense:high_availability [2021/06/20 01:42] – created rodolico
+++ other:networking:opnsense:high_availability [2021/06/20 02:11] (current) – rodolico
@@ Line 40: / Line 40: @@
       - Save
       - Repeat for all other interfaces (hint, you can clone an interface, then change the Interface, Address, VHID Group and Description).
+    - For each subnet which will be routing through the firewall, do the following. For example, if you have a subnet that only provides resources for other subnets, don't do this. But, for LAN, or anything else that will directly access the 'net. **You are setting outbound to use the CARP interface**:
+      - Firewall | NAT | outbound
+      - Change existing rules to use the CARP IP
+      - Create new rules for any other subnets (hint, clone the LAN, then make the changes needed)
+===== Additional =====
+  - Change DHCP server to set the gateway to the Virtual IP
+  - Change DHCP server to set DNS to correct value (if not using defaults)
+===== Set up sync =====
+  - On master router
+    - System | High Availability | Settings
+      - Synchronize States: check
+      - Synchronize Interface: The interface it will communicate on
+      - Synchronize Peer IP: the IP address of the backup router
+      - Synchronize Conifig to IP: The same IP (IP of the backup router)
+      - Remote System Username: A user on the backup router with full admin privileges
+      - Remote System Password: Password for that user
+      - Put a check mark in every system you want sync'd. At the very least, you need
+        - Users and Groups
+        - Certificates
+        - Firewall Rules
+        - Firewall Schedules
+        - Firewall Categories
+        - Aliases
+        - NAT
+        - DHCPD (well, I want them sync'd)
+        - Virtual IP's (you MUST have this)
+        - Static Router
+        - OpenVPN, if you're going to use that
+        - Firewall Groups
+        - Unbound DNS (again, I want that)
+      - Click Save
+    - On backup Router
+      - System | High Availability | Settings
+        - Synchronize States: Check
+        - Interface: Select correct interface
+        - Synchronize Peer IP: IP of Master router
+        - Save (Do **not** put any additional information in)
+    - Reboot both firewalls if you want. Sometimes avoids problems
+    - On master router
+      - System | High Availability | Status
+      - Click the little round thing at the bottom, where it says all(*)
+      - Wait until it is done
+    - Log into backup router
+      - Look and ensure all services/rules/whatever have changed
+===== Other Information =====
+==== Do maintenance ====
+One thing you can do with this setup is perform maintenance, with a fallback if something goes bump.
+  - Update backup router
+  - Open Primary Router
+    - Firewall | Virtual IPs | Status
+      - Click Enter Persistent CARP Maintenance Mode
+      - Your backup router is now master
+  - Test everything on the new update. If it all works, update the master router, then turn off the CARP Maintenance Mode
+  - **Note**: Persistent Mode survives a reboot. You must manually turn it off
+==== Testing ====
 ===== Links =====
   * https://docs.opnsense.org/manual/how-tos/carp.html