Configurate HA opnsense cluster

Page content

In this post I will configure 2 opnsense server to a HA cluster.

The Architecture

 ------ WAN ------
 |               |
PF1 -- sync -- PF2
 |               |
 ----- LAN -------  

WAN: 192.168.0.0/24 (Bridgelt)
LAN: 192.168.20.0/24
SYNC: 192.168.30.0/24
opn01:
WAN 192.168.0.28
LAN: 192.168.20.28
SYNC:192.168.30.28

opn02:
WAN 192.168.0.29
LAN: 192.168.20.29
SYNC:192.168.30.29

Firewall rules For sync

On both firewalls add two rules to allow traffic on the SYNC interface:
go to Firewall > Rules > Sync and click Add.

Rule 1: Example image

Rule 2: Example image

Rule 3: Example image

Synchronization Settings

Go to System > High Availalility > Settings. Configure the sections like on the pictures.

Master: Example image

Slave: Example image

Test the synchronisation. Go to System > User management and createa new user on the master node.
Then check on the slave node.

If it doesn’t work, check:

  • Are the firewall web interfaces running on the same protocols and ports?
  • Is the admin password set correctly? (User Manager > Users > admin.)
  • Are the firewall rules to allow synch set to use the correct interface (SYNC)?
  • If you’re using VMs, are the firewalls on the same internal network?

create virtual IPs

On the master node go toFirewall > Virtual IPs > Settings and click Add. Create a new VIP adres for LAN and WAN interfaces.

WAN VIP on master: Example image

LAN VIP on master: Example image

Change outbound NAT

Change the configuration of the outbound NAT to use the shared public IP (the WAN VIP)
Go to Firewall > NAT > Outbound and set the mode to Hybrid Outbound NAT rule generation.

Create a new Outbound rule like this:
Example image

The translatino / target must be the WANIP IP.
It should end up looking like this:

Example image

If you’ll be using your opnsense firewall as a DNS resolver you must change the settings of the DNS service (Services > DNS Resolver > General Settings) to lissen on the LAN VIP address. Then chnage the address of the DNS server in the DHCP configuration to us the LAN VIP adress.

comments powered by Disqus