Don’t Use A Firewall, Use 2! OpnSense High Availability Guide

very helpful video. Question: What do you suggest for users who do not have a ISP router? I have fiber to my house that goes to an ONT. The ONT provides ethernet that is plugged in directly into my Opensense Router on my WAN port. They did provide a Eero but it is limited to 1G and my service is 2G.

Thanks again, it was great especially that you used the diagram to simplify the roadmap.

Really cool Jim, every single one of your videos is relevant to different things I'm implementing in my homelab. Keep it coming! I've had a lot of issues getting things to work reliably, but that's thanks to overcomplicating everything 🙂 Nice to have clear guidance on exactly how to get things working. I find you explain all the caveats well and any question I have usually gets answered during the video.

Hi Jim, cool topic and thanks for your video about it 🙂

first I would recommend to use a smaller network for pfsync, for example "10.0.0.0/30", so you are only able to use 2 ip addresses, what is exactly your need.

When you have a proxmox-cluster and you want to virtualize your opnsense, you can use HA functionality of proxmox. So you have backups of the vm itself and you have replications of the vm on one or two other proxmox-hosts. If a proxmox-host fails, you still have 2 other hosts running with the configured vm´s (here: your firewall).
I already had opnsense running as a vm on proxmox, but I currently have opnsense installed on dedicated hardware (a small 1 HE Server with N5105 CPU and 16 GB RAM). Both solutions have their advantages and disadvantages. I have the same hardware twice, but the second one is not in use at the moment. Now I´m thinking of two options:
1. using opnsense directly installed on hardware one, using opnsense as dns-server with unbound (thats what I have today) and using second one for HA.
2. Buying the same hardware again (then I have 3 of them), building a proxmox-cluster, installing an opnsense vm on node 1 (with replication to nodes 2 and 3) and installing a dns vm (bind9 or pi-hole) an node 2 (with replication to nodes 1 and 3). It is also possible to create a cluster with 2 of my hardware and another minimal hardware (raspi). In this case I only would replicate between node 1 and 2.

Option 2 seems more complex, but the advantage is that replication settings on proxmox are done in 15 seconds. Another advantage is, that I always use the master vm, regardless of which node the vm is currently running on.

A disadvantage of option 1 is that if hardware 1 dies, I have to rebuild it immediately because the second one only is a temporary master and changes to the config are not possible. It is ok for planed reboots, but in case the server crashes irreparable, this solution does not seem sophisticated or well thought out.

One challenge is that I have my Internet connection with "Deutsche Glasfaser" and only one hardware/mac-address (connected to the isp-modem) gets a CGNAT IP address. I currently have the WAN port of the OPNsense connected to the modem. Regardless of whether I want to use option 1 or 2, there has to be a router in between (I still have a TP-Link ER605 in the closet), so that the hardware/mac-address connected to the modem does not change.

I think option is more flexible, easier to set up, less error prone and easier when it comes to backup and restore. I admit, I've never seen that anywhere before, but that's exactly what appeals to me 🙂

Great work again Jim. When you check boxes to sync from master to slave firewall, and not other way around which will help in inital config sync but if a failover to happen and you make changes to config on 2nd firewall "slave" and if 1st firewall come up would that config copy over?
Appreciate you taking the time to do this video on opnsense.

H i Jim – I'd love an explanation on why you decided to swithc from Sophos to OPNSense and how you chose OPNSense vs PFSense. Thanks!