HA XMLRPC sync appears to “merge” but does not actually write changes on the Backup
-
@w0w in pfB the sync happens on a force reload only. Theres a one line fix to have it happen at cron intervals…see this thread:
https://forum.netgate.com/topic/179060/pfblockerng-sync-not-working/50(The line number has changed over time)
-
I will not be able to try a minimal configuration in the near future, unfortunately. But I might have some time to dig a bit deeper. For now, at least I am sure that the receiving side receives everything, and I can even see my test rule in the dump, but it is not clear why the block is not being written… Maybe it is failing a validation check.
-
If you're referring to the changes from pfBlockerNG then it's likely the cron thing already mentioned. Otherwise something else to try is temporarily removing packages from both nodes and testing.
-
@marcosm
I have removed only pfBlocker, and the configuration has synced successfully. -
Even with synchronization completely disabled, simply having pfBlocker installed prevents synchronization between the firewalls. -
@w0w oh do you mean any change, not just pfB? Then disregard my post above. That’s only pfB.
-
@SteveITS said in HA XMLRPC sync appears to “merge” but does not actually write changes on the Backup:
do you mean any change, not just pfB?
Exactly. Anyway it looks like this bug is related to pfB somehow.
-
It looks like config sync stops working when pfBlocker is installed on the secondary node. Even if I completely remove all pfBlocker settings, on a new install sync still stops, even when pfBlocker is not configured at all.
-
<package> <name>pfBlockerNG</name> <descr><![CDATA[Manage IPv4/v6 List Sources into 'Deny, Permit or Match' formats.<br /> GeoIP database by MaxMind Inc. (GeoLite2 Free version).<br /> De-Duplication, Suppression, and Reputation enhancements.<br /> Provision to download from diverse List formats.<br /> Advanced Integration for Proofpoint ET IQRisk IP Reputation Threat Sources.<br /> Domain Name (DNSBL) blocking via Unbound DNS Resolver.]]></descr> <pkginfolink>https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html</pkginfolink> <version>3.2.9_1</version> <configurationfile>pfblockerng.xml</configurationfile> <include_file>/usr/local/pkg/pfblockerng/pfblockerng.inc</include_file> <plugins> <item> <type>plugin_xmlrpc_send</type> </item> <item> <type>plugin_xmlrpc_recv</type> </item> </plugins> </package>If I remove the section shown below on the secondary firewall, sync starts working again immediately.
<plugins> <item> <type>plugin_xmlrpc_send</type> </item> <item> <type>plugin_xmlrpc_recv</type> </item> </plugins> -
This post is deleted!
