pfBlocker and High Availability CARP working?

talaverde

Cool. Thanks for that...

While I'm tech savvy and and know quite a bit about the general configuration of pfSense, I haven't learned how to install code like this. Can you point me to a thread, link, KB, or hint on how to load this? If not available, can you give me a general outline? With some basic steps, I can, likely, figure it out.

My guess... upload a file with this code and run it (after a backup). I just need some guidance on the file name and a bit more detail on the steps would make me feel more confident with changing my firewall.

Thanks again.

BBcan177

@talaverde said in pfBlocker and High Availability CARP working?:

While I'm tech savvy and and know quite a bit about the general configuration of pfSense, I haven't learned how to install code like this. Can you point me to a thread, link, KB, or hint on how to load this? If not available, can you give me a general outline? With some basic steps, I can, likely, figure it out.
My guess... upload a file with this code and run it (after a backup). I just need some guidance on the file name and a bit more detail on the steps would make me feel more confident with changing my firewall.

You don't need to install that code. I am linking to the existing code which shows which parts of the configuration are being sync'd to the other hosts.

When you posted this question, I realized that one section of the code could be improved. And that these new changes will be included in the next release. This however, shouldn't impact your concerns.

talaverde

@bbcan177 said in pfBlocker and High Availability CARP working?:

When you posted this question, I realized that one section of the code could be improved. And that these new changes will be included in the next release. This howe

Ah, I get it now. Thanks.

JeGr

@bbcan177 said in pfBlocker and High Availability CARP working?:

When you use the Sync tab, it will push all your settings to the sync'd hosts. It won't push the downloaded feeds etc.

If I understand that correct that means all settings from the package are XMLRPC sync'ed to the standby node, but not the resulting files and lists. But as the standby should also have sync'ed the cron settings et al it should update those lists and settings on its own, shouldn't it?

As I'm about to configure pfBNG-devel to a cluster in a few hours, that one (or best practice) would be good to know ;)

Greets

BBcan177

@jegr said in pfBlocker and High Availability CARP working?:

If I understand that correct that means all settings from the package are XMLRPC sync'ed to the standby node, but not the resulting files and lists. But as the standby should also have sync'ed the cron settings et al it should update those lists and settings on its own, shouldn't it?
As I'm about to configure pfBNG-devel to a cluster in a few hours, that one (or best practice) would be good to know ;)

Yes exactly.

Also, in the DNSBL tab there is a new beta option for the DNSBL VIP for HA setups so that only the active system has the DNSBL VIP active. So that is the part that I'm looking to have tested.

JeGr

@bbcan177 said in pfBlocker and High Availability CARP working?:

So that is the part that I'm looking to have tested.

Will gladly do so and report findings.

talaverde

One thing I just observed that may be worth noting. The CARP Virtual IP for 'pfB DNSBL' kept changing it's VHID Group back to '1'. I have four virtual IPs. I tried to make it '4', but it would change back to 1 after a few moments. I finally gave in, leaving it at '1', then changing the other three to something else. Not a big deal, but might be worth investigating.

talaverde

I've noticed since the update, Sync / CARP is not working for pfB. I may have something configured wrong, but I can't get it to work anymore. I'm using the same settings as before.

A related question, How does the 'VIP Address Type' setting tie in with the 'Sync' tab. if CARP is selected, is that tab unused? Which is best? The CARP option is 'beta', so I suppose the sync tap is best, but how how the options compare?

At the moment, neither option works, so I think that's the first priority.

Thanks.

JeGr

@talaverde In my understanding Sync is exactly that - sync to peer. CARP is the setup of the needed DNSBL IP in a cluster scenario so the active node has the necessary IP available to rewrite DNSBL hits. It's not one or the other, it's both needed :)

talaverde

@jegr Gotcha. So, should I configure both nodes, each pointing to each other? With the main pfSense XMLRPC Sync, only the primary node is configured. Would this be the same with the pfB 'sync' tab? Or, as initially mentioned in this message, should I have both nodes configured to sync to each other? (I hope that makes sense). thanks.

JeGr

@talaverde said in pfBlocker and High Availability CARP working?:

@jegr Gotcha. So, should I configure both nodes, each pointing to each other? With the main pfSense XMLRPC Sync, only the primary node is configured. Would this be the same with the pfB 'sync' tab? Or, as initially mentioned in this message, should I have both nodes configured to sync to each other? (I hope that makes sense). thanks.

Aye, pfSense Sync is always Master to Standby not the other way round. There's only one case I'm aware (the top part of the HA sync - pfsync settings) that actually speaks with each other rather than master to standby. So configure pfBNG to replicate from master to standby node (use sync settings would be easiest) and the standby node should receive the configuration for the package :)