OPNsense utilizes the Common Address Redundancy Protocol or CARP for hardware failover. Two or more firewalls can be configured as a failover group. If one interface fails on the primary or the primary goes offline entirely, the secondary becomes active.
Utilizing this powerful feature of OPNsense creates a fully redundant firewall with automatic and seamless fail-over. While switching to the backup network connections will stay active with minimal interruption for the users.
Although its not required to synchronize the configuration from the master machine to the backup, a lot of people would like to keep both systems (partially) the same.
To prevent issues spreading over both machines at the same time, we choose to only update on command (see the status page).
Our worklow looks like this:
First commit all changes to the master, then update the backup while knowing the master is still properly configured.
In case of an emergency, you should still be able to switch to the backup node when changes cause issues, since the backup machine is left in a known good state during the whole process.
If the primary firewall becomes unavailable, the secondary firewall will take over without user intervention and minimal interruption.
Virtual IPs of the type CARP (Virtual IPs) are required for this feature.
Synchronized state tables¶
The firewall’s state table is replicated to all failover configured firewalls. This means the existing connections will be maintained in case of a failure, which is important to prevent network disruptions.
OPNsense includes configuration synchronization capabilities. Configuration changes made on the primary system are synchronized on demand to the secondary firewall.
The status page connects to the backup host configured earlier and show all services running on the backup server. With this page you can update the backup machine and restart services if needed.