OPNsense utilizes the Common Address Redundancy Protocol or CARP for hardware failover. Two or more firewalls can be configured as a failover group. If one interface fails on the primary or the primary goes offline entirely, the secondary becomes active.
Utilizing this powerful feature of OPNsense creates a fully redundant firewall with automatic and seamless fail-over. While switching to the backup network connections will stay active with minimal interruption for the users.
Although its not required to synchronize the configuration from the master machine to the backup, a lot of people would like to keep both systems (partially) the same.
To prevent issues spreading over both machines at the same time, we choose to only update on command (see the status page).
Our workflow looks like this:
First commit all changes to the master, then update the backup while knowing the master is still properly configured.
In case of an emergency, you should still be able to switch to the backup node when changes cause issues, since the backup machine is left in a known good state during the whole process.
Although we advise to make sure to keep the backup machine intact during maintenance, some people prefer to keep the backup in sync on periodic intervals. For this reason we added a cron action which you can schedule yourself inon the primary node.
To use this feature, add a new cron job containing the
HA update and reconfigure backup command and a
proper schedule, once a day outside office hours is usually a safe option.
To prevent a non functional primary machine updating the active master, the
HA update and reconfigure backup
will only execute if all carp interfaces are in
If the primary firewall becomes unavailable, the secondary firewall will take over without user intervention and minimal interruption.
Virtual IPs of the type CARP (Virtual IPs) are required for this feature.
Synchronized state tables¶
The firewall’s state table is replicated to all failover configured firewalls. This means the existing connections will be maintained in case of a failure, which is important to prevent network disruptions.
OPNsense includes configuration synchronization capabilities. Configuration changes made on the primary system are synchronized on demand to the secondary firewall.
The status page connects to the backup host configured earlier and show all services running on the backup server. With this page you can update the backup machine and restart services if needed.
TipUse the refresh button to update the backup node and restart all services at once.