Vezpi/Blog
1
0
Fork 0
Code Issues 2 Pull Requests Actions Wiki Activity

Auto-update blog content from Obsidian: 2025-11-12 20:19:17
All checks were successful
Blog Deployment / Check-Rebuild (push) Successful in 6s
Details
Blog Deployment / Build (push) Has been skipped
Details
Blog Deployment / Deploy-Staging (push) Successful in 10s
Details
Blog Deployment / Test-Staging (push) Successful in 2s
Details
Blog Deployment / Merge (push) Successful in 6s
Details
Blog Deployment / Deploy-Production (push) Successful in 9s
Details
Blog Deployment / Test-Production (push) Successful in 2s
Details
Blog Deployment / Clean (push) Has been skipped
Details
Blog Deployment / Notify (push) Successful in 2s
Details

Browse Source
This commit is contained in:
Gitea Actions
2025-11-12 20:19:17 +00:00
parent c87b9f4bc9
commit b801726508
2 changed files with 25 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
content/post/15-migration-opnsense-proxmox-highly-available.md
View File

@@ -56,13 +56,13 @@ I also create the `vlan44` for the *pfSync* VLAN, then I apply this configuratio
Now that the VLAN configuration is done, I can start buiding the virtual machines on Proxmox.
The first VM is named `cerbere-head1` (I didn't tell you? My current firewall is named `cerbere`, it makes even more sense now!) Here are the settings:
- OS type: Linux
- OS type: Linux (even if OPNsense is based on FreeBSD)
- Machine type: `q35`
- BIOS: `OVMF (UEFI)`
- Disk: 20 GiB on Ceph distributed storage
- RAM: 4 GiB RAM, ballooning disabled
- CPU: 2 vCPU
- NICs:
- NICs, firewall disabled:
1. `vmbr0` (*Mgmt*)
2. `vlan20` (*WAN*)
3. `vlan13` *(User)*
@@ -186,8 +186,8 @@ Vérifier interface OK
tests locaux (ssh, ping) OK
Basic (dhcp, dns, internet)
DHCP OK -> Restart Unbound service
DNS NOK
DHCP OK
DNS NOK -> Restart Unbound service
Internet OK
Firewall -> Need some not critical opening
@@ -204,16 +204,26 @@ Check load (ram, cpu) -> OK
#### Failover
In - # System: High Availability: Status, Synchronize and reconfigure all
In
Every domains (reverse proxy/layer 4 proxy) give this error:
SSL_ERROR_INTERNAL_ERROR_ALERT
After checking the services synchronized thought XMLRPC Sync, Caddy and mDNS-repeater were not checked. It is because these services were installed after the initial configuration of the HA.
Anything else works apparently fine (to confirm)
While failover, the internet connection is really slow
![Pasted_image_20251107214056.png](img/Pasted_image_20251107214056.png)
#### Test proxmox full shutdown
## Problems
### Reverse Proxy
Every domains (reverse proxy/layer 4 proxy) give this error:
SSL_ERROR_INTERNAL_ERROR_ALERT
After checking the services synchronized thought XMLRPC Sync, Caddy and mDNS-repeater were not checked. It is because these services were installed after the initial configuration of the HA.
Solution: Add Caddy to XMLRPC Sync
### DNS
While failover, the internet connection is clunky, really slow
No DNS, it is always DNS
no gateway for backup node -> rework script
Solution: Enable master node as gateway when backup
### Packets Drop
Problem while pinging bastion from user vlan, some pings are lost (9%)
same while pinging the main switch
@@ -223,12 +233,16 @@ no problem towards IoT vlan
problem from mgmt to any other network
not even a single ping to dockerVM
ping problem -> disable Proxmox firewall on vmbr0 (and all interfaces) for the OPNsense VM
ping problem ->
Solution: disable Proxmox firewall on vmbr0 (and all interfaces) for the OPNsense VM
### Other
Warning rtsold <interface_up> vtnet1 is disabled. in the logs (OPNsense)
no gateway for backup node -> rework script
## Clean Up