[FR] HA sync Interfaces too

opnsense / core

OPNsense GUI, API and systems backend

https://opnsense.org/

BSD 2-Clause "Simplified" License

3.35k stars 751 forks source link

[FR] HA sync Interfaces too #4601

Closed colttt closed 3 years ago

colttt commented 3 years ago

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

[x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
[x] I have searched the existing issues and I am convinced that mine is new.

Is your feature request related to a problem? Please describe. At the moment if we have HA enabled and need a new interface we must add this on both machines. It would be nice if this happens automatically, maybe per default or with a checkbox like "add this automatically"

Describe the solution you like Automatically sync the interfaces, makes it easier to admin OPNsense in bigger environments with a lot of interfaces/VLANs

Describe alternatives you considered

we need to add this manually

AdSchellevis commented 3 years ago

the problem with interfaces is that they often contain static configuration which is only valid on one of the machines at a time, so we can't just sync interfaces because it would lead to broken setups. If the interface is only a placeholder (link) between the physical interface and the internal name, it could work, but is more difficult to explain to the average user.

colttt commented 3 years ago

what do you mean with static config? (How do the others (like Sophos, Checkpoint solve this?)

beside of that, then let extend the FR to "sync everything" so that we have a full copy of one machine.

AdSchellevis commented 3 years ago

I'm not sure what you mean, but at a first glance it's unlikely to work (at least in our carp based setup). There's always some basic setup involved (I guess that's the same at Sophos and Checkpoint, in our case interfaces are these basics since they contain the standard ip configuration)

mimugmail commented 3 years ago

The problem here is that FW1 never can predict which IP address FW2 should get. Let's assume FW1 has 192.168.1.11, which one should be FW2? Some could say, always +1, but when it comes to WAN you often have a /28 where already couple of IPs are in use where +1 may already be used.

Some vendors like Sophos use a different HA Model where FW2 is always there with unconfigured interfaces and during failover the IP is moving. This is not possible for systems using HA protocols like CARP, VRRP or HSRP

OPNsense-bot commented 3 years ago

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.