Ensure Network Continuity: OPNsense High Availability Guide

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

firewalls like open sense are essential for it security but sometimes they can be too secure for instance if you firewall crashes then yes you have a very secure network but now nobody can access anything in which case you'll want to have a redundant firewall to protect against outages and help with maintenance but how do you set up redundancy for open sense well if that's something you're interested in finding out then stick around and watch this video is that all be going over now as this video is specifically about setting up redundancy I'm going to assume you already have open sense installed on two devices or you at least know how to install open sense if not then I do have another video which shows you how to install open Sense on a virtual machine for instance in addition I don't advise watching this video for the first time and making changes as we go along changing a firewall can result in unexpected problems just because the MAC address has changed for instance and some devices may not play well with this new setup and the last thing you need is to be stuck trying to fix problems so to be prepared i' suggest to watch the video first to at least get an understanding of what's involved then test this in a lab before arranging something like this in a live environment now in a very basic Network where you've got one single firewall this is typically what it's going to look look like in other words we've got two networks either side of a firewall and the default gateway for the network is assigned to the actual interface of the firewall so in this case it's dot 254 now when it comes to redundancy at least in terms of or sense we're going to have two firewalls one's going to be the primary one's going to be the backup but each has its own unique IP address so for the primary firewall it's 25 3 and for the backup it's 252 there is still a default gateway of 254 which is the same as what we'll be using uh from just a single firewall except this is a virtual IP address so it doesn't actually belong to either firewall as such it'll float between the two firewalls depending on which one's active so what you'll have at any given time is one firewall is active the other one is just sitting there in standby or passive so let's say the primary firewall is the active firewall then when the land PC over here sends traffic to. 254 it's the primary firewall that will pick that traffic up and then if it's allowed through it'll fold it over to the wide area network over here that we've got likewise when the actual one PC sends its response back to 254 it'll get picked up by the primary and then forwarded back over to the land Network now if this firewall wall but it go down become inoperable for some reason then what happens is the backup firewall detects that and it takes responsibility that 254 default gateway so it's basically just transitioning over this firewall that's the benefit is that that IP address can literally just move backwards and forwards between the two fils and that's what gives us the actual redundancy so you got to bear in mind that each firewall needs its own unique IP address assigned to uh an interface both of the firewalls need natural network interface in each of these networks they have to be identical in that respect the only difference is going to be the IP address assigned to them now one other thing I'll point out is that although it's not mandatory Essential should we say it is recommended to have a dedicated link between the two firewalls the reason being is that the primary firewall here has to keep the backup firewall up to date so normally what will be happening is traffic will be passing through the firewall and it'll be keeping a state table up to date it has to keep the backup firewall up to date with that information likewise when there's any configuration changes made on the primary firewall and they should already get made on that primary firewall they'll get synchronized over to the backup firewall so it isn't mandatory but it is strongly recommended that you have that dedicated link to have that traffic so that there's no No Interruption it also makes it secure because especially when you're exchanging configuration information between the firewalls and state information as well so that's the way this actually works there's two firewalls where they're using a virtual IP address between them and it's only the active firewall that actually handles that default gateway so one firewall acts as the uh the actual active firewall the other one sits in a standby State waiting to take over now configuring redundancy for open sense is going to be the same no matter what the only thing is the actual strategy that you use to say a transition from Air single firewall here to having a redundant pair of firewalls because it depends on the situation but in this video what we're going to do is to actually repurpose the original firewall the Assumption being that yes we can get an additional firewall to give us the redundancy but we can't get that second firewall to make life easy we' got to use the difficult path of rebuilding the original so what we're going to be doing in this video is to take a backup of the original firewall and then what we're going to do is to restore that onto the new firewall and that'll become the primary firewall once we've got that configured uh to do all of our redundancy the benefit of that is that well we can make changes to this firewall without doing any Interruption to the existing Network because we'll do this offline and then when we're ready we'll just sort the firewalls over so then what we'll be left with is a new primary firewall which has got the same rules and it'll answer to the same original default gateway so it should go a lot more smoother than maybe reconfiguring the original for instance to support uh redundancy on the Fly and the the benefit is that if anything actually goes wrong when we introduce this new firewall we're can revert back to the original firewall and then once we've done our testing and we're confident enough that the actual firewall is actually working as expected what we can do is then go back to the original firewall and then we'll rebuild that one as the backup firewall and then once that's back on the network we'll have these two running as a pair of redundant actual firewalls so the strategy in that case had i' say is it's less intrusive we've got much smaller downtime but it still allows us to transition from that single firewall to redundant pair now I've logged into a computer which is on the land side of the network and that's allowed me to connect into the existing firewall which is 10.12.2 54 on this land side I've also actually installed open sense onto another firewall I've got as far as installing the operating system going through the actual Setup Wizard and that's completed the actual setup process but that's all I've done now the IP address that I've assigned to it doesn't really matter too much as long as it's Unique on the network and doesn't cause any conflicts and I say that because what we're going to do is take a backup of the existing firewall and then restore it on the new firewall in which case the IP address here is going to change anyway so it doesn't really matter but before we actually take a back back up what we new is check that the version of the firmware is the same so on the new firewall 24.1 and on the existing one 24.1 I strongly suggest you do make sure that they're running the same version because if you take a copy of the actual um backup on the existing firewall and restore it onto your new firewall but software versions are different you could run into a situation where you've got bugs uh compatibility problems and so on that mean basically the new file doesn't work as expected so do check the actual software versions first and then what we're going to do is take copy of this F's configuration so we'll go to system go to configuration and then backups then we've got this download section to download a copy of the actual configuration in a production environment would makes sense to select the option to encrypt the configuration file put in your password and confirm that but this is just a lab actual firewall it only exists for the purpose of the video anyway so it's not that important for me in which case next thing you do is click on download configuration and then you'll either get prompted and ask where do you want to store this or as in here it automatically gets downloaded to the actual downloads folder so one final thing I'll point out is that all I've got here is a basic firewall if you've got any packages installed you'll need to back those up now there's just too many of them for me to cover and how you actually back those up really depends so some will have their own backup option for some you'll have to take an actual screenshot of the configurations and if you've got any packages you'll then have to install them under the new firewall and then either restore their configs or manually put in those settings but in the case of this video I'm keeping things as simple as possible so we're just doing a complete backup of the actual firewall itself here now before we go any further it's best to isolate this new firewall because we'll be restoring a configuration onto that firewall and it'll end up with the same IP addressing as the existing firewall and if they're in the same network it'll cause a conflict and you'll end up with outages so how you actually L the firewall depends on the situation in a physical environment we're talking about cable changes maybe plugging it into a completely separate network switch for example and when you could do something similar on hypervisors for instance you can add a new AAL Bridge a new actual virtual switch the problem is making changes to the hypervisor is a bit more impacting than what we're going to do next which is to just simply change the vand tags on the virtual machines all we're actually affecting then is the actual virtual machines and nothing else there's less likely of a chance of something going wrong so I'm using proxmoxve here and to update this new firewall just selecting that firewall going to hardware and then I'm just going to select the actual interfaces click edit now I'm not using anything at all in the 2,000 range and there is quite a range for VLS but since 2000's not used I'm going to change the tag from 301 to 2,31 and I'm just going to update all of these by putting a two in front of them so this will put the actual network interfaces of this virtual machine completely different vlans what the existing firewor and all the other computers are in now I do still need access to this firewall to be able to make changes to it so I'm going to do the same for my land virtual machine I'm using so I'm going to edit that and I'll put that in 2 301 there 2301 one is going to be the land side for this network so that's it I've now isolated this firewall into the 2,000 range whereas the original firewall is still in that original range there so they're completely isolated from each other and now we should be able to make changes to the new F wall so we're back on our computer which is on the land side and it's now in a completely different network where it was originally and is the new firewall so on this tab here where we're connected into the original firewall if I click on the refresh option eventually it's going to time out in other words we can't get access to it anymore there you go if I go back to the new firewall on the hand click on the refresh button we can connect to it so at least we know we're isolated now from the existing Network and our computer still has access to the new firewall so what we're going to do next is to actually restore our configuration file so we're going to go to system configuration and then backups and then we've got an option to restore now there's various things you can do here to choose what to restore I'm just going to leave it as the default which is to restore everything click on browse and then I'm going to go to downloads select my file now you do need to tell it if you've actually encrypted the file if you do it'll ask you for the password I haven't so I'm just going to click on restore configuration and then off it'll go it'll eventually reboot itself and we'll just wait for it to come back up well the new firewall is now back up and running and I have logged into it except I pointed to 10.1.2 254 the reason being is well this is is more or less a clone of the original firewall same IP addressing same name and so on so there's no point pointing to 10.1.2 252 CU well this configuration's now being overwritten now when I say it's a clone a hardware level it's still different different Mac addressing it's so on but from a firewall perspective we've got the same functionality or at least in terms of open sense itself so if you've got any packages running on the existing firewall like I was suggesting before you should have really taken a backup copy of those where possible and then the plan is you would now actually restore those onto this by that we're talking about installing the actual packages and then either manually configuring it or restoring the configuration depending on the package but now basically what we've got is a firewall that's configured the same as the original f wall it has actually been isolated from the network so I can now start making changes to this firewall without impacting any of the users that are out there on the network I'm not going to be making changes to the existing firewall I'm going to be setting this new firewall up so that it's ready for redundancy now before we add any redundancy to this firewall here there are some initial changes that need to be made first so one thing if we look down here in the bottom right hand corner R interfaces the IP address for the default gateway is assigned to the actual interfaces so we do need to change that so I'm going to go over to interfaces and then I'm going to select one now technically the order I do this in doesn't really matter it just means when I actually change the actual IP addressing to the Lan I'll get disconnected so I'm just going to leave that till last but I'll scroll down now this is going to be the primary firewall and I've assigned 253 to that so I'm changing this to 253 click on Save and then click apply changes then just wait for that to actually take effect and then I'll go over to the Lan interface and I'll do the same there now at this stage I'll stop and say make sure that you've actually got console access because by changing the actual IP addressing here you always run the risk of actually loing yourself out so make sure you've got console access that you can at least get into there and make changes within the console before you actually commit to making any changes here through the guey so I'm just going to change that to 253 and click save takes me right back up to the top again so I'll click apply changes now in this particular case because we're logged in to 10.1.2 254 it should eventually time out I mean it'll apply the change but then it'll keep trying to get access to 254 it fail now what I found is it's best not to keep that entire URL and try to connect that way because the firewall tends to complain if you try to connect to an existing session if you will um using a different IP address it doesn't seem to like that so for that reason I'm going to use 253 except now it's decided timeout so point to 253 and I'll need a Lo back in again so both of the IP addresses on these interfaces and now got 253 which is good now another thing I want to do is to actually change the name of the firewall I mean I could have a firewall one the F World 2 doesn't really matter but I'm I'm going to change this uh just to keep it in sync with the the documentation that I've got so I want to click on system uh settings I'll go down to General and then I'm just going to change this to well this one's going to be the primary so this is primary FW primary firewall click on Save and that's the name change applied so just go back to the dashboard and then for consistency I just need to make the same change within the actual hypervisor as well now obviously this doesn't apply if you're using physical firewalls and how you actually change the name of a virtual machine really depends on the hypervisor in my case using proxmox V so to change the name of this firewall I'm going to go to options and then I'm going to select the name right at the top here click edit and I'm going change this over to primary FW click here and now I've got name of the firewall itself in line with the actual name that I've got here configured with within the hypervisor now the main part of redundancy for open sentence is car or common address redundancy protocol and that's something that it gets from the underlying operating system for ebsd so to set up car we're going to go to interfaces then virtual IPS and click on settings and then what we're going to do is to create some virtual IPS for each of the networks that the firewall is actually responsible for so we'll click on the plus sign here I'm going to change the mode to car now I'm going to change the actual interface to one and then I'm going to put in act IP address which this network is 10.1.1 25424 in other words if you look at the example it wants this inside of format so that's the IP address followed by the subnet mask now we then got an option for a password so we're going to put one in basically because the firewalls are going to be exchanging information using car over interfaces and anything that's on those networks has the potential to be listening to that information so you got to put some security in in this case we use a password then once a vhid group which can go from 1 to 255 so you can either type that in or click the button here to select an unassigned one so because this is the one that we first set up it's assigned number of one now bear in mind because it goes from 1 to 255 you can't line this up with vlans probably unlike say Cisco's hsrp version two which goes through the entire range of fanss but well if there's even just a you know tiny bit of OCD in You You could argue that you could line it up with a third octed one one just saying you know it's POS possible any the next thing we need to do is to put in the advv base so this is the basically the advertising frequency so one thing I'll point out is this is slightly different to what you're seeing in the current documentation or at least what I've saw anyway um they've got it configured slightly different but in this particular version nope it's there's bits in there that are missing all I can put here is the actual advertising frequency Now by default it's one it can go from 1 to 255 so this is just how often they're going to be exchanging um these cut messages between your firewalls uh if you find out that having problems maybe the actual firewall can't cope it's too often you can increase that number but I'm just going to stick with a default here of one but do make sure that this lines up on both firewalls that both have to be transmitting at the same time uh the same frequency then all the actual description I'm just going to call it one VIP and then click on Save I then need to set up one for the land so I'll click on the plus sign change the mode to car it's already picked out the line interface so I can leave that as is so this is going to be 10.12 254 like a type and then sl24 put in a password for this one it then wants the vhid group so I'm going to click the button put two two you know just saying ADB I'm just going to leave that at one and then for the description I'm just going to call this a land it now one thing I will mention is that we've got a different vhid group so on the one side it's one on the land side it's two and that's in keeping with what the documentation says I mean I suppose you could argue that you could use the same number on all of the interfaces it's just that you run the potential problem where maybe you've got two systems on the same network both running car so you might have one redundant pair in front of another redundant pair and if they're both running car and they're both using the same group well yeah it's going to cause problems will conflict with each other so I suppose the safest thing to do is stick with what the actual documentation says and just try to keep these numbers totally unique anyway I'm GNA click on Save and that sets up the land VI and then I'm going to click apply as it suggests for these changes to take effect now if you have a firewall which is using natat or network address translation and most typically do because they're facing the internet then what you're going to find is that that at least by default is actually going to get in the way of your high availability so by that that I mean that for instance in the case this firewall traffic will come in from the Lan interface exit the one interface but it'll be assigned an IP address of 10.1.1 253 in other words the IP that's assigned to the interface now that's not going to work with our failover it needs to be coming out with the IP address of the VIP so we need to change the N rules now before I do that though I'm actually going to create an alias first the reason being is that as far as I can tell I can't create one room and actually select multiple subnets or networks within that rule I have to set up multiple rules but to make life easier if I set up an alias I can then use that Alias within the N rule then I just have to keep updating the Alias going forward that does seem a bit easier to manage so what we're going to do is click on firewall then aliases then we're going to click on plus I'm just going to call this one say Nat subnets change the type to networks because that's what I'm going to put in the content field here so I've only got one which is 10. 1.2.0 sl24 let return and then at this point I'd start entering more of the actual subnets if I had any other internal networks I don't that's the only one I've got for this video but that's just something to bear in mind so the idea is you just keep this Alias up to date going forward and then for the actual description I'm just going to say this is networks needing one nut for example and then click apply and then we can reconfigure Nat so we click on Nat click on outbound we're going to change it from automatic to manual and then click on Save click apply then I'm going to create a new rule now the interface depends on what the exit interface is in this case it's already picking out one so we can leave that as is there's other things you can change because you can be very very selective uh in terms of uh the traffic that gets n Ned through the actual interface you can do that as part of security for instance in my case I'm just leaving it down to the actual um Source address here so instead of having this set to any I'm going to have it set to the that sub Alias that I created and then for the translation Target rather than the interface address I'm going to pick out that one VIP I could give it a description if I like but I'm just going to click save and then click that to apply changes so I've now got an actual rule here which should translate anything coming through the firewall that exits the one interface but has this actual um well at least one of these subnets that's in the earias to this IP address when it leaves so what we can do is actually check that if I go to my computer here I'm just going to check that I can get access to the computer I've got on the other side of the actual firewall which is 10.1.1 40 so that works so I'm going to SSH over to that actual computer I'm just log in so I've been able to get access to this computer but if I put in who it's actually showing me the IP address that I've actually got logged in with so it's actually showing the correct IP address so it is working so instead of the IP address being the IP address of the interface it is now the actual VIP and that's exactly what we want it means that any connection that's coming through the active firewall will still be able to work if there's a fail over to the other firewall now although it's not mandatory it is strongly recommended to set up a dedicated network connection between your two firewalls that way the primary can send airchair and sync traffic across to the backup with a little Interruption so this firewall does have a spare interface so we're going to set that up so I'm going to click on interfaces and then assignments we've only got one interface to choose from in the list anyway but then I'm going to click add then I'm going to click that interface I'm going to enable it then I'm going to give it some meaningful name so I'm just going to call it ha link I'm using ipv4 so I'm going to change it from non to static ipv4 and then I need to put in an IP address so this needs to be something that isn't being used anywhere else on the network you don't want traffic coming from a Data Network for example to clash with this range otherwise the firewall won't be able to actually send traffic back to that actual Network for instance now all the other interfaces I've got are in the 108 uh Network range I've got no plans on using 192 168 so for that reason I'm going to set this to 182 1680 253 now as I'm at least going to keep that fourth octed in sync with all the other interfaces now what you use for the subnet mask depends sometimes in companies it would be SL 31 more typically it'll be a sl30 in my case really doesn't matter U which case I'm just going to stick with a simple sl24 here then click on Save and then click apply changes so once it sets that up I go back to the lobby go back to dashboard I've now got an actual link that I can use as my haa link now your typical firewall is going to block most if not all traffic g a newly created interface and we've just set one up for an actual dedicated connection between our firewalls meaning we're going to have to set up some rules to allow the traffic through so to do that we're going to click on firewall then we'll click on rules then we need to pick out our actual ha link F will interface here then click on plus to add a new new rule now if you go through the documentation they'll suggest just basically setting up a rule to allow all traffic through but I'm not overly comfortable with that I'd rather put it in a bit more security than just allowing anything so what I want to do is to change the protocol here to PF sync and then for the source I'm just going to set it to the network range for this interface then for the description I'll set this to PF sync traffic and and then click save now you can be a lot more secure than that if you want to just bear in mind the destination is a multicast range and also you're dealing with a situation where the primary firewall here has one address the backup has a different address and what's going to happen is the configuration from the primary will get copied across as is to the secondary so you'd have to be very careful about what you set as the source address cuz you might traffic from the primary but not necessarily from the actual backup so bear that in mind now as well as the actual PF sync traffic the primary is actually going to update the backup uh with its config by actually logging in just like you I do um using the web interface here so I need to add another rule to allow that traffic through so I'm going to change actual protocol to TCP I'm going to change the source to ha link net again and then the port range well it's htps so I'll select that it automatically updates the two field there then for the description I'm just going to set this to goey traffic scroll down click on save so we've got two types of traffic that we need to allow across the link and then click on apply changes for that to take effect now you might be wondering about the car traffic so that's to do with the actual virtual IP address that gets shared between firewalls well that's going to get exchanged on the Lan interface and the one interface for example but if you look up here on any interface really when you're getting these automatically generated rules click on the drop- down menu and lo and behold we've got car traffic is already being allowed I didn't have to do that the fire willall is doing it by default and it's allowing traffic for IPv6 as well as pv4 so that's already in place so as far as the extra firewall rules go they're the only two that we need to add now to complete the redundancy configuration on our primary firewall here we need to set up ha sync and PF sync and this is to actually keep the backup firewall up to date so to do that we're going to click on system and then on high availability and click settings now this section up here under General settings is for PF sync it's for synchronizing State tables so in a minimum we want to select that option synchronize States you then need to tell it what interface to use and there is a drop- down menu to select the right interface in my case it's already picked the one that I want to use so I'll leave that as is and then it wants the IP address of the backup file worldall in this case I am only running two file wall so I'm going to put the actual IP address in although here it's suggesting a multicast IP address so I'm just going to put 192 168 0252 which is the IP address will be configuring on the new backup firewall then what follows is the config for a sync so this is for actually keeping the configuration up to dat on the back of firewall again it wants the IP address of our firewall so I'm copying and pasting that because it's going to be the same it then wants some login details that I can use to actually log into the backup byall so unless you've added a new user account then to that's just going to be root then whatever that password is see me I can type and then what you got to do is actually select the actual items to do with configuration that you actually want to replicate across to your actual backup file and what you actually select here really depends on what you're using so add a bare minimum what we want is virtual IPS uh we will want firewall rules which is lowed down here we'll also want aliases A N I think it would be a lot easier if this has been in like alphabetical order for instance I'm not sure what the ordering is here but yeah it can be a bit of a pain to pick things out but that's usually the bare minimum that you want anything else really depends on your circumstances so if for instance you're using a DHCP server then you want dhcpd and so on and there's there's quite a few different things uh probably doesn't make sense to replicate all of them it just really depends on what it is you're actually using now in my case I'm going to be setting up a new widget on the dashboard in which case I wanted to synchronize the dashboard as well so I'm just going to go through these and just double check I've got everything I need that seems to be okay and then click save and that's it that gets the PF sync part configured plus the AA sync now there is a status option here where you can actually check the status but at this stage there isn't a backup firewall in place so there's not really much Point clicking that so that's as far as we need to go in terms of configuring this firewall now at this stage I would suggest doing as much testing as you possibly can because what we're going to be doing next is to swap out the original firewall for the new one so I've just got a very basic setup here where I've got one actual computer on the other side of the firewall so I'm going to check to make sure I can at least reach that computer so at least I know traffic is passing through the firewall from one side to the other I'm then going to log into the actual computer reason being is I actually want to check if Nat's working so if I just do uh who it's saying I've logged in with this IP address so that's the IP address of the VIP so at least I know that the actual KN portion is working but the other tests you do really depend on your circumstances I mean if you got packages installed for example you'll want to check that they all working uh properly uh before you consider swapping out your original firewall now what we want to do now is to replace the existing firewall with the new firewall the only trouble is both of these firewalls have got the same IP addressing so they can't exist on the same network so the first thing we're going to do is to actually isolate the existing firewall from the network just bear in mind as soon as we do that well it's going to cause an outage so you're going to have to give people plenty of notice that this network basically is going to stop working because nobody will be able to get access to anything because the firewall is gone so there's different ways you can do that but what I'm going to do for this firewall is just to update the actual v-x because this is a a virtual firewall running on a proxmoxve server so to do that I'm going to go to hardware and then I've got three network interfaces and what I'm going to do is just change the vand on each one of them so I'm going to select the first one click edit now I'm not using anything in the 3,000 range so that's what I'm going to do is just put all of these interfaces into a 3,000 and something VLAN so for this one I'm just putting three in front so it now goes into VLAN 3301 click okay then I'm just going to do the same all of the other interfaces that we've got on this firewall now with proxmox v this is all getting done on the actual fly but yeah now that we've actually moved all of these interfaces to different VLS well that's it we've now got a network outage so that's something to bear in mind make sure that everybody's well aware of this change before you even start well now that the original firewall has been isolated from the network I can bring the new one online so this is a virtual machine running in proxmox v and what I'm going to do is to update the VLAN tags so I'm going to go to hardware and then pick an interface click edit now to isolate this one I was putting all of the actual interfaces into the 2000 vlans so I just need to remove the two to bring these back onto the actual live Network and again it's just going to do these on the fly so I'll just do the last one and I should put this firewall on the line Network so just check y none of these are still in the 2,000 range now the computer that I'm using is still in an isolated Network so I need to update its fand tag as well so that way I can still configure this new firewall so now we should have the original firewall isolated into these 3,000 vlans the new firewall is back onto the live Network and so is a computer that I can use to manage the firewall well now that the new firewall has been activated it's kind do more testing so the first thing I'm going to do is just make sure I've actually got access to this new firewall so the new one's got an IP address of 10.1.2 253 and that's what we've got in the browser click on refresh yep that's still working uh if we go to dashboard for instance well I can move around uh if we go to interfaces virtual IPS status I can see the two VIPs are up and they're configured uh as the default gateway that we want to be using on our Network so that's all a a good sign I mean if I try to actually connect to 10.1 2254 for instance just a double check yeah it's got the name of our new primary firewall so that's all good to see so at this stage would be case of handing it over to users and making sure everything works basically but this is just a basic lab that I've got so I'm going to try and connect to a computer on the other side of this fight wall which yep that's responding to Ping requests I'm going try and SSH into that oneide my password so I'm just double checking again yeah not working as expected so all looks to be working fine the only thing I'll say at this stage is it really depends on your circumstances you can run into all sorts of problems just by changing the MAC address which is what we've done here I mean this firewall has got the same configuration but deep down at a hardware level the MAC address has changed that can cause problems for some devices in other words whereas some actual computers will be quite happy to just accept that Mac address has changed others will have security features and they'll just refuse um to accept the different Mac address and then they won't be able to connect so you might have to flush app tables cam tables and so on if you've got any network security features set up you might have to update those with a new Mac address and so on so at this stage how things work or don't work really depends on your situation in my case this is just a very very simple lab a couple of Linux computers that are being used and they're quite happy with this Mac address changing but these are things you do have to bear in mind now unless you've got two new firewalls to set up your redundancy then you're going to have to reconfigure the original one so that reason I've moved my computer into a VLAN that will give me access to the original firewall and as you can see this session to the new firewall is timed out so I'm going to open up new tab and I've going to point to the IP address for the actual original firewall and then I need to log into that by and that's a good sign because the name is the name of the original firewall I can still double check if I click on interfaces go down to Virtual IPS click on status well there's no VIPs mentioned here and I know that's a good sign because the original firewall didn't have any bips actually configured on it so as far as I can tell I am actually on the original firewall so what I need to do is to change the actual IP addresses on the interfaces so I'm going to click on one scroll all the way down I'm going to change this from 254 to 252 click save and then click apply changes then just need to wait for that to take effect now if you've got any other interfaces it's a case of repeating that same process cuz we can't have the default gateway actually assigned to the interface now the only one that's left for me is the Lan interface so I'll select that scroll down change that click on Save then click apply changes the only thing is I'm actually logged in that 254 address so I'm going to lose connectivity so for that reason I'm going to point it over to 250 two instead and while that's going on as far as we can tell I mean eventually it'll time out because it's still trying to connect I've being able to quickly sneak a connection in on the new IP address but I'm just double checking that all of the interfaces that I've got have now got the IP address that that should be assigned to this firewall but while we're here I'm going to change the name as well because I I want this to be the back up firewall so I'm going to system uh then we go to configuration no go to settings then we go to General then I'm going to change this to be the backup firewall click on Save and we just go back to the lobby and then to the dashboard we've now got our new name for this firewall number because this is a virtual firewall it's going to make sense for me to keep the actual name on the firewall in sync with what we got configured here on my hypervisor proxmoxve so you select the firewall go to options click on name at the top on edit and then I'm going to change this over to backup firewall now the two are in sync well we should now be able to move our original F will back to the live Network and although it shouldn't cause any problems it's best just to warn users ahead of potential problems just in case now for me this is a virtual firewall and it's running on proxmox V ye so what I need to do is to update the VLAN tags to do that I click on the virtual machine go to hardware and then pick out one of the actual interfaces so I put these interfaces into a 3,000 and something VLAN so I just need to delete that three at the front and I need to do that for all of the actual interfaces so I'm just going to repeat that for all of these and that's it it should have put this back onto the live Network now I'm using a PC to do all of my management so I need to move that one as well so that one needs to be in weand 301 in my case but we should now have a backup firewall that's ready to be configured on the live Network now in order for us to have redundancy we're going to have to configure PF sync on this backup firewall here but before we do that we're going to set up a dedicated link for it now like I was saying with the primary firewall it isn't mandatory that you actually have a dedicated link between the two firewalls but it is strongly recommended that way the two firewalls can exchange your information without getting interrupted by other devices on the network so to do this I'm going to go to interfaces and click assignments now I've only got one spare actual interface on this computer but if you had any others and you needed to pick a different one just click on the drop down menu and select the appropriate interface that's a case of clicking add and then we can click on the actual link for that new interface will enable it change the description to something useful so I'm going to just call this ha link I'm using ipv4 so I'm going to change this from non to static ipv4 then I'm going to scroll down and enter the IP address so for me is 182 168 .0.2 52 and then I need to change the subnet mask as well which for me is just a sl24 network then I can click on Save and then I need to click apply change changes for this to take effect and then once that's done I go back to the lobby and then to dashboard we can see our new interface for our haa link down here in the bottom right corner now the next thing to do is to configure PF sync got our backup firewall so to do that we'll click on system then on high availability and then we'll click settings we need to enable the option synchronize States and then you need to pick the synchronization interface that you're going to be using so in my case it's already picked out the correct one but otherwise you can just click on the drop down menu and select whichever interface is relevant for you and then we need to put in the IP address of the actual primary firewall so for me is 192.168.0 253 now as the documentation suggests it's as far as you need to go when it comes to the backup firewall so on the actual primary firewall we set up AA sync but that isn't relevant to the backup firewall all it needs is PF sync the ha sync is for the actual primary firewall to synchronize its configuration over to the backup firewall that's a one-way process so we're just going to scroll all the way down to the bottom click on Save and now we've got PF sync configured now as with the primary f firewall we're going to have to configure some firewall rules on our actual backup firewall to allow the ha sync and PF sync traffic so to do that we're going to go to firewall and then to rules then we'll pick our dedicated interface which for me is ha link then I'm going to click on the plus sign to add a new rule I'm going to change the protocol PF Sync here and I'm going to set the source to each a link and then for the description I'm just going to call this PF sync truck scroll down and click on Save then we're going to add another rule so I'm going to change the protocol to TCP I'm going to change the source ha link the destination Port range I want to pick out HT PS then for the description I'm going to change this to buy traffic scroll down click on Save and now I'm going to click apply changes now you might be wondering well doesn't the primary actually send its configuration over to the backup well at this stage the backup isn't really ready and it's it would have been basically blocking all of that traffic coming in on the interface so until you actually get that initial establishment um then it won't work so we have to at least set up these rules just to get things going but that's all we need to add as far as firewall rules to our backup firewall now like the documentation suggests the next thing I'm going to do is to actually reboot these firewalls so for that reason you want to make sure that your users are prepared because chances are there's going to be outage now they don't mention a particular order so what we're going to do is to actually reboot the primary first wait until that comes back up again then we're going to reboot the actual backup firewall wait until that one comes back up again and then we'll do some checks so I'm going to start with the primary so I'm connected into the primary here we're going to go to Power and then we're going to select the option to reboot click yes to reboot and now I'm just going to sit and tole my Foams well the primary firewall is now back up and running I mean at least we've got a login prompt so for that reason we going to go over to the backup firewall going to click on power select reboot yes and um yeah going to go back to fing my phones again well the backup firewall is now up and running so we're going to log into these and we're going to do some checks so they're both independent firewalls so I can log into both of them in other words you don't just log into the primary as such and control both of them from there so this is our backup firewall looks like put the wrong password and this is our primary so what we can do is some checks I mean if we go over to interfaces uh then over to Virtual IPS and then stairs and this is basically it's running as the master so it's said detected a problem and this one has beened to backup status check your link on all interfaces with car if we go over to the backup we'll check that one then look for virtual IPS and then status so this one's actually saying it couldn't locate any defined car interfaces so that's an interesting start okay so we'll go back to our primary if we go to system go to High availability and click on status now that is a good sign because if the primary couldn't communicate with the actual backup what you'd find is you would just get a basically the little mouse cursor if you will there it'll just keep spinning around and around but instead what we've got here is information about the actual backup firewall along with details about the services showing that they're up and running and so on and this to me is where things start to fall apart for redundancy when it comes to open sense because well if you go through the documentation at this point the suggesting that basically everything's working um you know everything should have been replicated over to here and well it hasn't I mean we've got virtual IPS on this firewall but not on this firewall they're just completely missing it doesn't make any sense just gone there's nothing there whereas the documentation seemed applied well this would have all happened automatically but it doesn't now if you go through the forums from what I've read it suggests that at some point the replication was an order automated process but then that got removed and it got turned into a manual process but I don't see any mention of that in the actual documentation and that's why i' like that issue up about yeah this is where things start to fall apart because what you're going to have to do is actually make changes on the primary and actually manually um sync your config over to the actual backup so to actually sync a config over uh here under where we've got high availability and then status you can click this option here where we've got synchronize here we've got a little cloudy and it says synchronize config to backup so if I click on that what I want to see is two tick boxes show up one for synchronize and one for template so that has manually synchronized across to the backup so if I come back to the backup again uh if you have a look at our settings now we've got two interfac whereas before we had nothing at all we go to status this one for whatever reason has decided it's become the master this one on the other hand is just kind of wait for this one I go to interfaces virtual IPS and status this one's decided stays the backup so they've they basically sync the config over but the primary all what should be the primary is currently running is the backup uh firewall so yeah it's a bit of a an actual challenge in the sense that this whole process isn't um actually automated in one situation which is a problem means every time I want to make configuration changes I'm going to have to manually syn things across that's something you need to bear in mind I mean just have a look on PF sync nodes showing one at the moment uh this one if we go over to system high availability status so this one's not configured for high availability so that's to be expected so the only issue at the moment really seems to be our virtual IP addresses so go over to status again what I'm going to do is I'm going to force a a kind of a fail over here so go to interfaces go to Virtual IPS we go to status and then I'm just going to say temporarily uh dis you got a choice of temporarily disable C or enter a persistent car maintenance mode that one seems to be the better strategy so I'll just refresh that that one's still sitting as the master for some reason so it's not really making a difference it's not synchronizing for some strange reason so I'll take this one back out and then what I'm going to do is I'm just going to reboot this one so again it's going to cause a problem because currently this one's acting as the default gateway but we'll reboot this one and we'll see if this one actually takes over at some point right so this one's now taken over as the master so we just need to for this one to come back up but yeah that's a I think that's a bit of a let down because at some point this whole um configuration process was automated you would just make your configuration changes on the primary they would then get synced over uh to the actual backup and that was it you didn't have to do anything but now it seems somewhere down the line that took that away and decid it has to be a manual process you can go through the forums and have a look can see what um people are mentioning about it because they did it for a reason I just haven't seen an official explanation myself as why so let's just refresh this so this one is currently the master go back to system go back to interfaces rather virtual IPS status and this one's now the backup so at least it's behaving in the way we now expect so this is the primary actual um firewall this one's the secondary so what you expect is that you've got one active firewall as far as car is concerned so this one's responsible for that default gateway so it's showing a status of a green play button and master whereas the secondary that's going to stateus with a gray play button and backup so so under normal circumstances this is what you expect to see one firewall active one just sitting in a passive or standby mode now at this stage we should have a redundant pair of firewalls in other words we got a primary and we got a backup but we need to test that they work and we also need to test that failover works because well if something goes wrong with the primary here you want to make sure that our backup firewall will actually be able to take over and we won't have an outage as a result so what we're going to do is go to the primary here we'll click on interfaces go to Virtual IPS and click on status so from what we can tell this one is the act of firewall it's got a status of Master then on the secondary we do the same so go to Virtual P status this one's saying it's the backup so this is the active firewall the other one's just sitting and stand stand by now one thing I'll point out is earlier on we were getting these error messages reporting problems with car and I did a bit of Investigation I couldn't spot anything on the firewalls I mean you've got automatic rules on the interfaces to allow car traffic through so it didn't seem to be that and I I started playing around with the frequency uh of you know the advertisement for the interval U how often these actual C messages get sent out that wasn't making any difference um and then when I checked the actual underlying proxmox server it was reporting problems with with ovs by the looks of it so I've since updated proxmox it seems to be more stable I'm not seeing um I keep checking the actual logs since I've updated this but I'm not seeing these error messages that I was seeing before um I actually had a similar problem today on my live Network system that's using OBS Bridges as well and the virtual machine when just struggling to actually write the disc cuz the discs are actually Ono shared storage so it seems like there was something going wrong with the actual ovs software so I've since updated to the latest version and you know fingers crossed touchwood and all the rest of it it seems to be a lot more stable now I've also obviously rebooted everything as a result because of well upgrading proxmox itself but like I say so far see these do seem to be stable so I suspect that's what the problem was not specific to do with open sense itself but actually just the underlying uh proxmox Network and more specifically ovs anyo we've got our two firewalls up and running so what I want to do is I'm going to go to this termal session that I've got and we're going to start a ping session going so it's pinging a computer on the other side of of the firewall so this should be going through the primary so I'm just going to leave this continuously running uh I need to flip back to this one we're going to log into that computer as well because I need to make sure that the state tables are working as well in other words what we're going to get is our ping traffic's constantly running now that should be able to recover anyway but if you've got pretty much seamless failover then in SSH session that we've already got open should carry on working so we're going to go back to firewall now there's different ways you can do this I mean in a physical environment for example you could pull the network cables out of the actual firewall the backup would you detect an outage and then it would take over it's a bit more tricky in a virtual environment I could go around and reconfigure the interfaces for example to isolate um the actual firewall here for instance um but what I'm going to do is I'm just going to tell it to reboot I mean I could reset it that's equivalent to a power outage in a physical environment the only trouble is there's then the risk of actually corrupting the actual drive now what I will say is that we should expect this to be a seamless transition from the primary over to the backup but you got to be prepared for an outage especially when you're testing it for the first time so do make sure that users are are actually aware of what's going on and that you prepared for an actual outage just on the off chance before going any further but in our case we're going to just tell it to reboot in which case it it should probably actually tell the backup that there's going to be an outage but we'll see so it's not an exact um replication of a true outage but it's close enough without basically trashing the drive or at least the risk of it so I'll tell it to reboot itself and say yes and then it should start to shut down so so at the moment this is still the backup as far as we can see if we go back to here go back to here now this is still pinging so let's go back to a web browser we'll refresh this one on the secondary so this is taken over as the act of firewall so that's good to see so in other words the firewall is actually rebooting so we have go back to a terminal session we go to are an actual SSH session so yeah I'm just hitting return and it's you know it's actually still working so we've had a seamless transition over from the original primary firewall it was active over to the backup firewall which is now the active firewall so now what we're going to do is basically wait for the actual primary to come back up and it has done so that was quite quick actually so we'll log back into that so I'm just checking the log files of proxo it's It's always a bit concerning when log files suddenly start popping up because I'm thinking is it's going to be OBS again it's no sign of those so we go back to our backup do a refresh so this one is still saying it's the master uh go back to interfaces go back to Virtual IPS go back to status yeah I was maybe being optimistic there it's back again now I'm not seeing anything in the log files of proxmox that's usually indication where it's got problems so what it's done it's actually demoted itself it's showing here the current car demotion level is 240 so it's saying it's detected a problem so for whatever reason it has an issue and the two are having trouble communicating so if I go back to here yeah it's still still the master I mean other people have reported similar problems but I haven't seen a um a solution to a CH we see I mean I suspected it was just a problem with RVs but there's no such sign in the log files for proximo here so I don't think it is that it might be something else so I mean as far as the actual software goes I just out of curiosity if I have a look at the status and check for updates because it's it was on 24.1 and it's saying it's up to date alth in this particular case I can't update these anyway because they're on a a completely isolated Network anyway but yeah that's a it's a feature when I tried it before it worked fine and that's what other people have suggested on an actual uh forum is where you basically end up rebooting both firewalls but what I'm going to do here is I'm going to put the actual uh firewall here into maintenance mod at least as far as carp is concerned so this is the primary so at the moment the secondary is running as the active firewall and this one should have taken over because of the way it's configured when you actually set these virtual PS up the actual Master does actually get priority um or the primary I should say gets priority over the secondary or backup but for some strange reason there's something definitely going on here where it's not working properly so what I'm going to do is I'm going to put this into maintenance mode and now it's set that level all the way up to 480 so I'm going to take that back out again of Maintenance more to to reset its level back to zero so if I click on refresh now this one has taken the actual rule over as the active F if you go over to this one click refresh and this one's now the backup f one so in my previous testing that's normally gone pretty smoothly it's gone backwards and forwards between the two firewalls without issue but for whatever reason as Murphy's Law would apply while I'm recording it I've got this strange problem where for whatever reason carp isn't working quite the way I would expect it to now bear in mind this is a virtual environment uh everything's running on a single computer I mean the actual computer itself check its stats I mean well just to give you a perspective it's still got um well let's just say the CPU load is about under 1% out of 40 CPUs um memory-wise we've still got another 40 something gig of RAM dis utilization Network utilization are extremely low so I don't think it's to do with the actual hypervisor but I can't rule it out I mean if I check the log files I'm not seeing the same error messages that I was seeing before where Network ports were being blocked and opened up again due to spanning tree which is unusual in a virtual environment I must admit but for whatever reason carp just isn't functioning the exact where I would expect to I mean as settings go if we go to the virtual like PS and settings and just pick one of them out I mean there's nothing unusual there I mean if you go to advanced mode that's when you get to see the actual skew that it mentions in the documentation so you've got to be in advanced mode to see that so by default that is set to zero and if I go over to this one go to which settings pull that one out if you go and have a look at its skew it skew is 100 so that's to be expected in other words the primary should basically always take over whenever it comes back up again it should take over but for some strange reason it's just not doing that I mean we'll go back to our sessions and we're still we're still running our pings and not seeing any outages even though forced back I mean my actual session here is still working so we haven't lost that so it hasn't actually caused any problems what it just means means you're kind of feeling it's a bit unreliable cuz the way this is supposed to work or at least the expectation is the primary firewall should always be the active firewall the backup's there just as a backup so you don't really want this to be running as the active firewall for a prolong period of time um when you make changes you make changes to this firewall and then you sync everything over to the backup firewall so that's just purely there to cover outages and that's it so it's a bit unusual I must admit I mean out of curiosity I'm going to reboot it again and see if it does the same I suspect it will there there some there's definitely something strange um going on because at one point this this particular one I look at the status of this one this one actually ended up disabling its interfaces at some strange reason but that was at the point where as I say I was getting these error messages showing up on the actual hypervisor they have since gone so it needs a bit further investigation I mean as far as a functional redundant firewall though I mean it works it'll fail over to the backup it just might need a bit of encouragement to bring it back on um to the actual primary now normally in a a real working environment that that's actually a good thing to a certain respect because if the primary firewall develops false here for instance it's got a link that's constantly flapping up and down well you don't want it to come back online and then go offline then back online then offline you want a stable environment so normally what you would do is actually uh disable preemption for that reason but yeah in this case it's um interesting shall we say so let's see what does this time so I'm not quite sure as I say why it's having this issue because I mean in my previous testing it worked fine H so this time it's taken over flawlessly by the looks of it it's not complaining this time definitely OD I'll give it that I mean if you go a system um to log files and to General that's where it suggests actually looking and checking for for problems I mean it's not showing anything there that's why I'm saying nothing was sticking out for me as to why it didn't do that I mean went from backup to master preempting so there might there might be something in the log files maybe I'm just going to have to keep sifting through it and um binding I suppose anything specifically related to car I mean what you can do is you can filter messages out so let's see if we do land VIP let's filter that if we can just mentioning resyncing it's not saying anything about a specific problem there just try carp in General so go right to the end there so there three pages four pages it's five P there's a lot of pages WR that way there's a lot of pages so there might be something in there that gives me a clue as to what's going on but seems to be a bit hit and miss that's the strange thing that's that's the worst thing if you've got like a problem and if it's blint you obvious what the problem is then it's easy to fix but when it's um should we say an intermittent problem that's the worst thing you can run into it's it's not doing it again so I did it did it once after rebooting it next time I rebooted it was fine so it's it's a bit concerning but that that's one way that seems to fix it another way it seems to be to reboot the firewalls bring up the primary first and then bring up the secondary last and as I say it's not it's not the end of the world cuz the whole idea is that the backup is only intended there as like a last Resort in case the primary does actually fail um even if it stayed as the active firewall and you had to force the actual um active firewall back onto the actual uh primary firewall it's not the end of the world but yeah uh seems to be a feature that's what I'm going to call it so let's just double check yeah so the failover has been I'd say pretty good I mean it's it's it's a virtual environment and it's just constantly pinging it hasn't dropped any packets in the process and in part that's to do with the fact that it's pulling every second it's checking every second sending out cart messages the both do um but yeah as far as redundancy goes it well does actually work and that's exactly what you want now as I've been mentioning before for whatever reason open sense doesn't automatically replicate the configuration from the primary firewall across to the backup firewall so if you make a change on the primary firewall you're going to have to get into the habit of actually manually syncing the actual configuration over to the backup firewall now you do sometimes get warnings which I've noticed but not all the time so let's say for example we going to go over to the firewall going to go to rules and I'm going to pick the L interface now I've got a bunch of rules here which to be honest they don't really mean anything because we've got a default rule allowing everything through but I just wanted to set up some sort of rules that I could um just check that we're getting copied across to the actual backup firewall so what we're going to do is we're going to CLA this rule here which is for https but instead I'm going to change it to htvp click on Save now I'm going to click on apply ah there you go it's actually seeing the changes have been applied successfully remember to update your backup server and then it does actually you know give you a link to actually yeah point you in the right direction but you don't always get that though I've noticed there are some places you can go and make changes and yeah you don't get that warning so really you've got to get into this habit of manually syncing the changes every time you make a change on the primary make sure that you do follow that uh path there and make a change because I mean if I go over to the backup go over to firewall and then the rules and then on the L interface you can see we've just got the original Three so what I need to do is go back to as it says system high availability then over to status and then click that little Cloud button and then what we should get is two ticks to confirm this is all done if we go back to our backup file we'll do a refresh now we've got all of the rules so these are just things you're going to have to get used to but what I can also do is to actually set up a Cron job to at least back up every night for instance and it's not recommended to do it too frequently I mean if you go through some of the guidelines that Zen armor for instance tell you about setting up um car and redundancy on open sense they're suggesting to set up a an actual Cron job but only once per day so what we're doing is going to system so this is on the primary go to system then to settings and click on Chron then we're going to add a new job so we'll Click A Plus button to add now you've got to tell it when you want to do it so let's say I want to do it 2:00 for example and then it wants the actual command s by default it's at automatic firmware update what we're going to do is select the option ha update and reconfigure back up then I'm just going to sayle backup see you can set this to whatever you like basically um it's entirely up to you what's times Me 2 in the morning seems pretty quiet so I'm going to click on Save and then that sets up a an actual Chron job to at least back up the actual um backup file at least I'm going to click on apply just to make sure but that gives us an actual crun up so we should at least be getting the config backed up but it is still better to get into the habit of manually um actually updating it yourself now one way that we can actually monitor if car is working is to add a widget to the dashboard so to do that we need to be on the primary file firewall in other words all of our changes have to be done on the primary firewall and then what we're going to do is click this option up here add widget and then we're going to select the one right at the top for car then click on close and then as it says we got to click on save settings for this to load and then there we go at the moment it's showing itself to be the actual master so we know we're on the act of firewall this is the master now the thing is if we go over to a actual backup firewall there's nothing there and that's because well we've made a configuration change but yeah that's been done on the actual primary but it doesn't automatically sync across to the backup so in which case what we're going to do is go to system high availability and then we'll click on status then we're going to sync the configuration by clicking on the cloud so words where it's got server synchronized there we're going to click that one so it says synchronize config to backup click that and we want to see two text boxes so we're going to see this dashboard get updated when we refresh and it's what the one that's now showing itself to be the backup so that's a an easier way I would say to keep an eye on car just by looking at the actual dashboard basically so we're on the primary and it's saying it's the master and we're on the secondary we're seeing that it's the backup so the reason that's working for me is just because if I go over to system high availability in settings I opted to synchronize the dashboard so that's something to bear in mind if you haven't done that but that's a pretty useful way just to keep an eye on your redundancy now there are going to be times where you need to take the primary firewall out of service and normally that shouldn't be a problem because well we've got our primary firewall here which is currently running is the active firewall then we've got our acup firewall which is sitting there ready to take over in case something goes wrong having said that you still need to be prepared for a potential outage so whenever you are going to make some changes and the primary firewall needs to go out of service then make sure everybody's prepared made for possible outage but let's say for example we want to do a software update and we want to do this on both firewalls because we want them both running the same cord version just in case there's some odd issue with different cord versions being run well what we could do in that particular situation is well we're going to go to system and high availability and then status on our primary firewall here and we're just going to make sure that the actual configuration on the backup is up to date so we're doing a manual Sync here the next thing we would do is to go over to the backup firewall and update its actual software we're going to do it on this one first because well it means we've still got our active firewall which is still running we shouldn't have any interruptions while we're actually updating this uh firewall and while it's being rebooted because well this one is the act of firewall so that would be the Plan update this file will first now this one doesn't actually need updating but what we've got over here is a continuous ping running so what I'm going to do is just actually reboot this firewall and then we're just going to wait for it to come back up again well the backup firewall is now back up and running so we going to do is to plug into it nothing stands out as a problem here just looking at the dashboard and go over to our continuous ping yep it's still running that's not surprising really because well the primary firewall is the act of firewall now what we can do apart from just looking on the dashboard here is if you go over to system and then High availability and then status it'll come back with details about that backup firewall that we've got including details about the actual cord version now what we want to do is check well is the firewall still going to work if it's running on this new code version so what we can do is to swap over the rules so to do that on the primary we're going to go to interfaces virtual IPS and then we're going to click on status here and then we've got this option here inter persistent C maintenance mode in other words we're really putting the actual fire wall in maintenance mode so we'll click that you can see that the actual carb demotion level has gone up to 240 and it's automatically showing us that this is now the backup firewall if you go over to the actual backup firewall if I just Refresh on the dashboard I can tell this one's now taken over as the active firewall so you can now do all of your testing make sure that things do seem to work while you're running on this particular firewall with this newer cord version now if something were to go wrong you can basically take this one out of maintenance mode and do what you can to fix this particular firewall which might include installing the older version of code on it for instance or trying to look into fixing whatever the bug is and that sort of thing but as long as this firewall is functioning then you can leave this one running as the act of firewall then what you can do is update the code on the actual primary fight wall now so to do that well this one again doesn't actually need updating but you would go to system firmware click on status and go through the motion of updating the code but once it's ready you would reboot the actual firewall so power reboot in this case then I'll click on yes so now I've rebooted the primary firewall but if I go back to my continuous ping yeah it's still running cuz now the actual backup firewall is the active firewall so we just need to wait for this one to come back up again well the primary firewall is now back up and running so we're going to log back into this one and we'll do some checks to make sure that it seems to be okay so the services seem to be functioning fine links are up we're still in backup mode just double check on the actual backup firewall as well Yep this this one is still the after firewall and a continuous ping is still running the only thing is if you come back to this primary firewall here it's sitting in maintenance which means we don't have any redundancy so we need to take this out of maintenance mode so we're going to go to interfaces then we'll click on uh virtual light PS then we'll click on status and then we'll tell it to leave persistent cart maintenance mode so this has gone down from 240 to 0 it's still showing that it's in a status of backup but if we click on refresh it's now actually saying that it's the master come back to our backup file wall click on refresh and now it's the backup firewall so again we'll just double check yeah we've got a continuous ping going so they should be pretty seamless assuming you don't run into any software bugs for example but all the same these are one of those situations where you still want to be prepared and War users well ahead of time just in case there is a potential outage even if you have an existing open sense firewall which is running as a standalone firewall you can still make it redundant and the setup process for this isn't too difficult however there's no warning in the documentation or at least none that I found that configuration changes and not synced automatically now this is the potential for you to end up in a situation where the primary firewall fails and users can't get access to resources because the backup firewall is out of the date it's not really a showstopper though because you can't set up a Cron job for instance to back up the configuration once every day out of hours and once per day does seem to be the suggested inil of course this is still better than having no redundancy at all but it would be good to develop the habit of manually syncing the configs every time you make a change sometimes you will get warnings to do this but sometimes you don't so it's better if manual updates becomes second nature now I did run into some strange problems with cup while recording this video but oddly enough I've only seen these while I was actually recording it doesn't caus any significant problems and could work around it but when this happened I noticed messages in the log saying PF sync bulk F now I haven't seen a fix for this or I have seen comments that changing from unicasting to multicasting in the PF sync configuration might help since the documentation shows a unicast setup and the errors weren't frequent i' be inclined to leave these settings as is unless the problems worsen but from what I could tell this redundancy is definitely something worthwhile setting up now if you find this video to be useful then do consider subscribing to the channel as that would really mean a lot to me but it's also a good indicator to let me know how videos like this are helpful to people such as yourselves that are watching in which case thank you on the other hand if you're not ready for that level of commitment then I'd really appreciate it if you could press the like button is that way that'll help to get the video out to other people that might find it useful as well

Info

Channel: Tech Tutorials - David McKone

Views: 972

Rating: undefined out of 5

Keywords: opnsense carp, opnsense high availability, opnsense high availability setup, opnsense firewall high availability, opnsense redundancy, opnsense cluster, opnsense ha, opnsense ha setup

Id: IWt3_K-12Ys

Channel Id: undefined

Length: 93min 7sec (5587 seconds)

Published: Mon Mar 04 2024