Configurate HA opnsense cluster

Page content

In this post I will configure 2 opnsense server to a HA cluster.

The Architecture

 ------ WAN ------
 |               |
PF1 -- sync -- PF2
 |               |
 ----- LAN -------  

WAN: (Bridgelt)


Firewall rules For sync

On both firewalls add two rules to allow traffic on the SYNC interface: go to Firewall > Rules > Sync and click Add.

Rule 1: Example image

Rule 2: Example image

Rule 3: Example image

Synchronization Settings

Go to System > High Availalility > Settings. Configure the sections like on the pictures.

Master: Example image

Slave: Example image

Test the synchronisation. Go to System > User management and createa new user on the master node. Then check on the slave node.

If it doesn’t work, check:

  • Are the firewall web interfaces running on the same protocols and ports?
  • Is the admin password set correctly? (User Manager > Users > admin.)
  • Are the firewall rules to allow synch set to use the correct interface (SYNC)?
  • If you’re using VMs, are the firewalls on the same internal network?

create virtual IPs

On the master node go to Firewall > Virtual IPs > Settings and click Add. Create a new VIP adres for LAN and WAN interfaces.

WAN VIP on master: Example image

LAN VIP on master: Example image

Change outbound NAT

Change the configuration of the outbound NAT to use the shared public IP (the WAN VIP) Go to Firewall > NAT > Outbound and set the mode to Hybrid Outbound NAT rule generation. Create a new Outbound rule like this: Example image

The translatino / target must be the WANIP IP. It should end up looking like this:

Example image

If you’ll be using your opnsense firewall as a DNS resolver you must change the settings of the DNS service (Services > DNS Resolver > General Settings) to lissen on the LAN VIP address. Then chnage the address of the DNS server in the DHCP configuration to us the LAN VIP adress.