• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

2.1.5 -> 2.2 Configuration Synchronisation sets NAT Config back to default

Scheduled Pinned Locked Moved HA/CARP/VIPs
2 Posts 1 Posters 950 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mjtbrady
    last edited by Feb 2, 2015, 9:27 PM

    How to recreate:

    • Starting point is two pfSense 2.1.5 with a working CARP/pfsync/XMLRPC Sync.  There are no packages installed.
    • Outbound NAT is configured as "Manual Outbound NAT rule generation" with rules to NAT on the WAN as the WAN VIP.
    • Pulling the WAN cable on the Master sees a good failover to the slave and everything still works (meaning browsing to the Internet in this test).
    • Plug the WAN cable back in and everything fails back.  All good so far.
    • Then upgrade slave to 2.2.
    • After the reboot of the slave, the NAT configuration is "correct" as viewed in the web interface.  Meaning that the Outbound NAT mode is "Manual Outbound NAT rule generation" and the rules to NAT as the WAN VIP are there.
    • Change something on the Master and save it.  Just saving the "System: High Availability Sync" page with out changing anything seems to be enough.
    • The Outbound NAT configuration on the slave is now in mode "Automatic outbound NAT rule generation".
    • Pulling the WAN cable on the master sees a good failover from the CARP perspective, but there is no connectivity to the WAN.  Meaning that browsing to the Internet does not work.

    Work around:

    • On the master on the "System: High Availability Sync" page, disable "Synchronize NAT" before upgrading the slave.
    • Reenable once the the Master has been upgraded.

    It concerns me that if NAT is not syncing correctly what else isn't that I have yet to test?

    What is the correct/safe way to upgrade a 2.1.5 cluster to 2.2?  I have seen references to the "2.2 Upgrade Notes" and the "Redundant Firewalls Upgrade Guide" for this, but neither of these have anything that talks specifically about 2.2 in them. So I have gone the "Generally the recommended path for upgrading a High Availability cluster is to first upgrade the secondary node" route.

    Regards

    Mike

    1 Reply Last reply Reply Quote 0
    • M
      mjtbrady
      last edited by Feb 3, 2015, 3:57 AM

      Answered here https://forum.pfsense.org/index.php?topic=87813.msg483500#msg483500

      This really should be in the upgrade notes.

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received