Sync between two pfsense firewall's

behjansen

Hi,

I have two pfsense servers 1 master and one backup.
Now i want to sync between those two firewall's.

if i enable the sync on the master it's going great except if you remove something from the master it stays on the backup but i want it also gone on the backup.

and also those firewall's are in a fail-over.

So if the master is off the back take's it over this works great but the change's i'm making on the backup if the master is down aren't on the master if it's comming up again so on the backup i also enabled the sync.

But now both sync's arent working and in the system log is the next message.

–--

Jun 24 15:27:57 php: : Beginning XMLRPC sync to http://172.16.1.93:80.

Jun 24 15:27:57 php: : An error code was received while attempting XMLRPC sync with username admin http://172.16.1.93:80 - Code 2: Invalid return payload: enable debugging to examine incoming payload

Jun 24 15:27:57 php: : New alert found: An error code was received while attempting XMLRPC sync with username admin http://172.16.1.93:80 - Code 2: Invalid return payload: enable debugging to examine incoming payload

Jun 24 15:27:57 php: : Beginning XMLRPC sync to http://172.16.1.93:80.

Jun 24 15:27:57 php: : An error code was received while attempting XMLRPC sync with username admin http://172.16.1.93:80 - Code 2: Invalid return payload: enable debugging to examine incoming payload

Jun 24 15:27:57 php: : New alert found: An error code was received while attempting XMLRPC sync with username admin http://172.16.1.93:80 - Code 2: Invalid return payload: enable debugging to examine incoming payload

Jun 24 15:27:58 php: /xmlrpc.php: Disallowing CARP sync loop.

---

Does any body know how to resolve this? thx

behjansen

UPDATE

The only thing the backup don't remove if it's removed from the master is the VIP.
The other things he delete's

but still if the backup becomes the master and i make a rule on the old backup and the master is coming up again the rule isn't on the master.

blak111

The rule synchronization is one way. Master > Backup
If you create rules on the Backup they wont sync to the master.
You only setup the rule sync on the master side to prevent a loop.

The only thing that is bi-directional is the state table synchronization (pfSync). That's the one on the top of the page that defaults to multicast.

behjansen

Oke i understoud this only if my master is going off the backup became a master but if i do changes here and the other master is coming up he doesn't sync from the (master "backup") to the master.

so it cant go otherwise?

so if the master is of you can't make any rules before it's up again?

Where can i find pfsync?

behjansen

I tested it but it's not working.

If the master is off and the backup becomes the master and i delete a rule and make a rule en then the master is comming up again the rule i delelte is back an the rule i make isn't on the master.

what i'm i doing wrong?

GruensFroeschli

You missunderstand the concept.
You can only sync from a node with a lower Advertising Frequency to a node with a higher Advertising Frequency.
Just because a node is "temporarily" a master doesnt mean it syncs its stuff to the other nodes.
After all only the node with the lowest Advertising Frequency is the "real" master (even if it's offline).

Although i think if you have 3 nodes and you remove the main master, add something on the secondary master it "should" sync to the 3rd node (the only "real" slave).