Don't Use A Firewall, Use 2! OpnSense High Availability Guide
Vložit
- čas přidán 5. 07. 2024
- Part 3 of the OpnSense series covers high availability. In this video I discuss the benefits of HA in your homelab, and show how to configure it including possible network topologies.
OpnSense HA Guide:
docs.opnsense.org/manual/haca...
Recommended Hardware: github.com/JamesTurland/JimsG...
Discord: / discord
Twitter: / jimsgarage_
Reddit: / jims-garage
GitHub: github.com/JamesTurland/JimsG...
00:00 - Introduction to High Availability
03:11 - Network Setup
07:30 - Proxmox Overview
08:43 - Switch Overview
10:43 - OpnSense Configuration
24:05 - Testing
27:20 - Outro - Věda a technologie
Thanks again, it was great especially that you used the diagram to simplify the roadmap.
Thanks 👍
Really cool Jim, every single one of your videos is relevant to different things I'm implementing in my homelab. Keep it coming! I've had a lot of issues getting things to work reliably, but that's thanks to overcomplicating everything :) Nice to have clear guidance on exactly how to get things working. I find you explain all the caveats well and any question I have usually gets answered during the video.
That's great. I appreciate the feedback. Nice work!
Thanks for the demo and info, have a great day
Thanks, you too!
Loving all of these videos as I'm working to rebuild my homelab. Would love to see a deeper dive on how you have your Ubiquiti kit setup. Keep up the great videos!
Thanks, it's on the list 😁
Only recently discoverd your channel. Thanks for all the great content 👍
You're welcome, appreciate the feedback
@@Jims-Garage It's interesting that my day job is Network Engineering so I'm super familiar with (Fortigate) HA setup and operation. Yet wanting to set it up for my home lab is very different! As the saying goes "If someone can't explain it simply, then they don't understand it" (I always have this in my head when explaing things to people) and you 100% have nailed that 😎
@@TheDervMan thanks 👍
OMG.. this video is gold!
Thanks 🥇
Really great video @Jims-Garage , really appreciate the help you give us with these tutorials, i'm trying to figure out how to setup HA but with 2 isp and 2 opnsense firewall, honestly the diagrams found on the internet seems far too complicated, i found in an office a master opnsens and a backup working with 2 isp but the configuration only had a single switch, do you have simpler way to make ha with 2 isp ? Thank you in advance for your time!
Should be quite simple. Essentially, copy my video but replicate switch vLAN part. You'll need to do that twice with separate vLANs, and then add 2 wan NICs to each firewall.
Great work again Jim. When you check boxes to sync from master to slave firewall, and not other way around which will help in inital config sync but if a failover to happen and you make changes to config on 2nd firewall "slave" and if 1st firewall come up would that config copy over?
Appreciate you taking the time to do this video on opnsense.
No, it doesn't work that way (you can check the link to the docs). There needs to be a master. This at least gives you the opportunity to get the master back up and running as your network is still available.
Will everything you did here work if I opt for your first diagram? The one where I use double switch (one for splitting my wan coming from my modem to both proxmox nodes and one for my LAN)? The reality of it is that I don't wanna use my ISP box as router, I want to keep it only as modem in bridge mode, and I wanna use Proxmox as my sole routing solution.
Also on a side note I never would've expected that Opnsense supports HA inside of it. When I was thinking to do HA for Opnsense in Proxmox I thought it more along the lines of Proxmox spawning my Opnsense VM in the next available Node if the current Node were to shut down. Did I have the complete wrong idea about it?
H i Jim - I'd love an explanation on why you decided to swithc from Sophos to OPNSense and how you chose OPNSense vs PFSense. Thanks!
Thanks, probably the quickest answer is that I'm not changing from Sophos XG, I'm keeping it. Nothing wrong with OpnSense, I think it's great, just isn't giving me anything I don't already have (plus I find OpnSense a little trickier to use).
Users are abandoning pfSense (and switching to OPNsense) because Netgate disregards the community.
@@Jims-Garage I see, so this is just a series on how to use OonSense for those that use it, but you are not implementing it yoursef
@@stubush143 correct. A lot of my subscribers use it (70%) and it was a common request. I went into it with a trial in mind, after using it for a couple of weeks I was impressed, but ultimately prefer Sophos. Some only want opensource so Sophos isn't an option.
Hi, I am thinking to set it up the same way. The only thing you didn't show was to create the sync interface in proxmox. Did you just create an empty linux bridge and pass iton to the opnsense VM on both nodes? thanks for an amazing video as always
Thanks for the feedback. This is part 3, I created the 3 NICs in part 1, please refer to that and then reach out if you have further questions.
The prophecy is true, Jim told me I should be up and running by the end of the video, the video is 28 minutes long yet I am 3 hours into it. Life is a simulation.....
I do believe you need to permit all traffic between the pfsync interfaces. I only allowed CARP and ICMP at first, only noticing that the master was communicating to HTTPS port on the slave when viewing the logs.
Edit: at least permit port 443 I mean
Solve my problem, thanks
I have accidentaly set virtualIp same as wan ip, and locked myselft out of everything 😂 Now I have to wait for my vacation to be over, to fix it _from inside the house_
I feel your pain, I've been there 😭
very helpful video. Question: What do you suggest for users who do not have a ISP router? I have fiber to my house that goes to an ONT. The ONT provides ethernet that is plugged in directly into my Opensense Router on my WAN port. They did provide a Eero but it is limited to 1G and my service is 2G.
I'd recommend a firewall that doesn't require CARP. I use Sophos XG partly for this reason. I can use my single IP and split it across both.
What would you suggest when -in my case- the fiber can be plugged directly (via sfp or media converted utp) into a (aggregation) switch or in the proxmox server? The internet is on its own VLAN from the isp. So my thoughts are to buy an unifi aggregation switch, put the fiber from ISP in port 1, make port 2&3 WAN and 4/5 LAN and 6 to the network switch (all sfp+). But now I am struggeling to translate this to your concept.
@@jellevanburen9427 That sounds similar to what I'm doing. I guess you'd plug into switch, make a vlan group that matches the vlan id of the ISP, and then plug both respective WANs of your firewall into the switch on the same vlan
Very easy to understand even for people like me that are want to learn and doesn't speak a very good english.
Thanks!
Back on topic, is there a way to avoid the double nat (bad for online gaming) without having paying for a second line?
My modem/router has a 4 port switch, it set as bridge and it uses pppoe to connect (from opensense). Do you know if it is possible to turn on the pppoe connection on the backup when the master is down?
Ciao Roberto
No, it cannot be done with OpnSense due to how carp works. Sophos XG will do HA with a single IP and no doubt nat. I have guides on that as well.
@@Jims-Garage thank you! I will give it a look!
@@crc-error-7968 it's what I'm using if that gives you any further comfort.
Hi 🙂
Just found this video and it is everything that I need in a house where your family needs CONSTANT Internet connectivity... 😀
I was just wondering how you would proceed with an existing firewall OPNsense setup with VPN, a lot of rules and interfaces?
I think the ground principle is to migrate the current interfaces IPs to be transformed in VIPs, but some questions about it:
- Would you prepare a pair of firewalls instances (VMs staged with edited config files and new interfaces IPs) in parallel with some temporary VIP and the you shut down the single FW and switch all VIPs?
- Can be keep/modify existing VPN tunnels to keep everything running (I have a IPSEc tunnel and an OpenVPN system)? If yes, how?
But your video could not come at any better time, thanks a lot!
I believe the recommended approach is to start with 2 blank (new firewalls) and create the HA. Then configure the primary from scratch. In your case you will likely keep the current, and copy the rules over to the new HA pair.
@@Jims-Garage Hi again, I'm in the starting block with 2 minisforum for my HA setup. I'll go with recommanded approach : start blank and import things I need.
After looking at video again, I'm wondering why you are not configuring the HA earlier, wouldn't it spare a few configuration steps (like the firewall rules & CARP VIPs) as master would push them to the slave?
I might test if you don't know 😉
Hi Jim,
I've been following your channel for months. Thanks for the great content.
I'm currently setting up my OpnSense HA following your tutorial.
I noticed a little discrepancy at minute 22:00 when you are comparing the Outband NAT rules between the 2 OpnSense instances. Looks like the second rule on the WAN interface is showing LAN net when the other instance is showing LAN address on the same rule. Which is the correct setup?
Thanks, and well spotted. It should be net. Both should work though.
@@Jims-Garage Hi. Just sharing my findings. LAN Address does not work, but LAN net does. I am fortunate enough to have public IPs and if I use LAN Address, it doesn't use the VIP WAN IP, but rather the IP of the WAN Interface and my failover didn't work. I had to set both to LAN net and now it is working as expected. Thank you for the video.
Could you do a video on how to do this with one IP without the ISP-Router infront?
Hi Jim! After syncing master and backup firewall, is there going to be same configuration on backup automagically or do I have to manually configure interfaces, dhcp leases etc...?
The configurations should sync after HA.
@@Jims-Garage Thank you. I will have to find out why they are not syncing 😔 Although everything else seems fine. It shows checkboxes after I click on "restart all services" on master fw.
And now I found out in OpnSense documentation that combination of physical machine and virtual machine will not work because of the different interface names 😔😔😔
Just about 7 minuits man im loving it! one thought is most ISP routers don't allow to have multiple ip's for the same firewall rule/port. How could this be tackled?
Not sure what you mean. If you attach the WAN port of OpnSense(s) to the LAN port of the ISP router it'll pick up different DHCP LAN addresses.
@@sebasdt2103 Yes, you're right. That is a problem with respect to availability. Best best is to use the master IMO.
@@Jims-Garage I get that, We are talking about the wan side of opnsense and lan side of my isp router.
Most ISP routers are not able to switch between opnsense wan ips in port forward rule to expose services/sites.
That still has to be done manually for me.
For keeping internet connection its not a real worry.
Hope that made a bit more clearer.
(reposting as I accidentally deleted my comment)
@@sebasdt2103 That's a good point. If you're double NAT and you have open ports, any port forwards will be setup to only one of the LAN IPs. I usually turn UPnP off, but I wonder if it could be used to manage the open ports between onpsense and your ISP router. Wouldn't be much of a risk since the traffic all hits opnsense anyway.
@@SurfSailKayak maybe somehow create a vip on the wan side... Not sure How that would work.
I usually use KeepaliveD to put both of my piholes between a vip. maybe we can do something like this with opnsense on wan side? but its still an interesting point.
I thought high availiability in the context of firewall meant 2 ISP no?
Full HA does, and in enterprise you'd have 2 wan. I simply want 2 firewalls to enable me to reboot certain nodes.
Hi Jim, can you confirm that youtube has deleted some comments in this video?!?
It was "held for review", I've approved it.
@@Jims-Garage There were other comments...
@@Glatze603 I've approved a long one that you wrote (which was very helpful). Not sure why it isn't showing.