HA settings do not sync until you hit 'save' on the webUI
-
I'm deploying 2 preconfigured instances of pfsense on my datacenter with Ansible. For this I'm generating 2
config.xmlfiles - one for the master and a different one for the slave - and preloading them on each instance/cf/config/directory.On master's config I'm filling all the HA settings as I would on the web UI:
<hasync> <pfsyncenabled>on</pfsyncenabled> <pfsyncpeerip>192.168.200.2</pfsyncpeerip> <pfsyncinterface>opt1</pfsyncinterface> <synchronizetoip>192.168.200.2</synchronizetoip> <username>admin</username> <password>pass</password> <synchronizeusers>on</synchronizeusers> <synchronizeauthservers>on</synchronizeauthservers> <synchronizecerts>on</synchronizecerts> <synchronizerules>on</synchronizerules> <synchronizeschedules>on</synchronizeschedules> <synchronizealiases>on</synchronizealiases> <synchronizenat>on</synchronizenat> <synchronizeipsec>on</synchronizeipsec> <synchronizeopenvpn>on</synchronizeopenvpn> <synchronizedhcpd>on</synchronizedhcpd> <synchronizewol>on</synchronizewol> <synchronizestaticroutes>on</synchronizestaticroutes> <synchronizelb>on</synchronizelb> <synchronizevirtualip>on</synchronizevirtualip> <synchronizetrafficshaper>on</synchronizetrafficshaper> <synchronizetrafficshaperlimiter>on</synchronizetrafficshaperlimiter> <synchronizednsforwarder>on</synchronizednsforwarder> <synchronizecaptiveportal>on</synchronizecaptiveportal> </hasync>... and once both instances are up and running I can verify these settings have been applied:
However, if I navigate to
/status_carp.phpon the secondary node, no CARP interfaces appear. And it's not until I press the 'SAVE' button on master's/system_hasync.phpwhen both instances synchronize and start operating under HA terms.My question is, is there a way to avoid this manual step? Can I just run a
pfctlcommand to indicate the master node to start syncing its settings? -
Not exactly. If the config on the secondary has the right info, then a reboot should activate it all.
You could maybe run
/etc/rc.filter_synchronizefrom the primary to kick it in but that still requires taking an action on the primary.There is likely a way to initialize everything by hand but it's undoubtedly more complicated and less efficient than triggering a sync or a reboot.
It's also possible that your secondary node config is not complete, and the config sync copies over something your base config on the secondary is missing.
-
Hey @jimp, thanks for your answer!
In the secondary I'm injecting what I believe are the only required (counterpart/secondary) HA settings:
Are these sufficient? The only changes I can see after hitting sync on the webUI are:
- Replacing the bcrypt-hashes for those in the master. This might be important?
- Removing
ipsec,aliases,wolandopenvpn, empty fields. - Adding all the
vips as they're defined in the master.
Also tried rebooting them both (it's actually one of the steps I defined for the deploy process to catch up with the synthetic config) but no luck.
However, as you point out, running
rc.filter_synchronizedid work for me - I can just include it as an additional action over SSH for the master node. Nice! Was looking for something just like that.
