Firewall rules disappear with asymetric NICS
-
I have two pfsense 2.2 firewalls, both on Netgate APU4 hardware. The devices are identical with the exception that the backup device has an additional wireless interface that is not present in the primary device.
I'm trying to set up CARP, but if I enable firewall synchronization, any firewall rules for the wireless interface get deleted. The wireless interface is not listed in the CARP status and it doesn't have a VIP, so it isn't matching with some interface on the primary device. Is there a way I can synchronize firewall rules while leaving rules for unmatched interfaces untouched?
Thanks in advance for any assistance anyone can provide.
-
Why don't you set up the one hardware with WIFI as master?
Rules are synchronized from master to backup. So if there is no wireless interface on backup the rule will be just ignored there, but they will work on master. -
The one without the wifi has better Internet bandwidth, and is also the owner of the IP address associated with our public services. The master is also on a business-grade Internet connection, whereas the back-up is on a consumer-grade connection. The back-up is really just there so the office can keep working when the master or its network connection is down. So, the master really needs to be the master, but it really shouldn't delete rules for interfaces it doesn't recognize.
Edit: On rereading my response, a better answer would mention that the master and backup are not physically located together. The master is in a data-center where wifi isn't an issue. The backup is located in office space, where we need wifi.
-
IP addresses for public services should be CARP VIPs not the masters address. Otherwise a failover won't work.
I assume, you will have your reasons for having the wifi installed at backup.
Since there is no way to select which rules should be synchronized and which won't, the backup rule set will always be overwritten from master by synchronization and rules of an interface not present on backup will be deleted. So a possibly workaround could be to set up a fake interface at master and define your wifi rules there.
For instance, add a vlan on an existing interface and assign a new interface to it. Give it the same name as your wifi at backup, but no IP. Then add your rules to that interface. -
Interesting! Thanks for the reply. I wouldn't have thought of that.
I have downtime scheduled this weekend. I'll give it a try.
-
Viragomann put me on the right track, though there was a catch. The original problem was that I wanted to perform CARP firewall rules synchronization between a master and a backup, but the backup had an extra interface (a wireless access point) the master didn't have. Consequently, the rules for the extra interface were been deleted whenever the rules synchronized. Viragomann suggested creating a dummy interface on the master for a non-existent VLAN, giving it the same name as the wireless interface on the backup firewall, and putting the rules there. The basic idea was good, but with a problem.
The problem comes in the way that the interfaces are named. When I created the dummy VLAN on the master, pfSense named it "OPT5". I then renamed it to "wireless" to match the interface name on the backup. It seems that renaming OPT5 to "wireless" is a cosmetic change only. Internally pfSense still calls it "OPT5", and all the rules are associated with "OPT5". When CARP performs the firewall synchronization, it copied all those wireless rules to the backup firewalls "OPT5", which was some other VLAN. On the backup, pfSense knows the wireless interface as "OPT4". I had to delete everything on the master firewall associated with OPT4 and above, and recreate them in the right order so that their internal "OPT" names aligned with the ones on the backup firewall. Once I did that, synchronization worked great.
Thanks, Viragomann, for putting me on the right path.