Openvpn client for site2site on a multiwan and HA/carp setup
-
Running pfsense 2.3.2-RELEASE-p1 at a few remote sites each with a pair of firewalls leveraging CARP and multiwan. It seems that multiwan and HA/CARP are mutually exclusive when running an openvpn client on the firewalls. Within the openvpn client config, you can either select a CARP interface or a gateway group. My initial configuration had the interface specified as the CARP as I wanted the openvpn client to follow whichever was the master firewall. But in a multiwan setup, there doesn't seem to be a hook (unless I'm missing it) to have the openvpn client reconfigure during a gateway change with CARP as the interface. Since we've had more issues of failing ISP connections than firewalls themselves, my config now uses the gateway groups as the interface. The only semi bullet proof solution I can come up with is to remove the openvpn client from the firewalls and place it on a separate system inside. Space and resource limitations make that restrictive though. Is there something that I'm not seeing? Perhaps a custom hook to react to multiwan changes?
Thanks
Peter -
OpenVPN client should work just fine with a gateway group.
Did you set the CARP VIPs in the gateway group settings?
The interface on the OpenVPN client should be the failover gateway group.
When the Tier 1 ISP fails, the OpenVPN client will be reconfigured to use the Tier 2 WAN and should automatically reconnect.
The reverse should happen when Tier 1 recovers.
This is distinct from HA/CARP. When an HA failover occurs the OpenVPN client will be stopped on the failed unit and started on the new master. It will use the same multi-wan configuration as the primary since they should be identical.
Some of this might change if you do not have the requisite 3 public IP addresses on both WANs. But it might even work with only one as long as the CARP VIPs are selected in the gateway group settings.
-
Derelict,
I think you nailed it with the CARP interface specified in the gateway group. I had one of them set and the other was using the interface, not the CARP. Must have been through my tinkering I must have adjusted and the several layers of disconnection between the vpn client and that config never had me check again. Going to test during a maintenance window or if we lose ISP, whichever happens first.
Thanks
Peter