pfBlockerNG installation in 2 pfSense HA and CARP
-
Hello! I have 2 pfSense 2.4.4-p3 with HA and CARP.
Is possible to install and configure pfBlockerNG in both pfSense servers? Or exists any problem in HA and CARP pfSense infrastructure?
How to configure?
Is it configured individually in each pfSense?
Or does HA sync help me in any way?
Best regards! -
@MerinF01 You need to install and enable pfBlockerNG on both nodes,
and configure XMLRPC sync on the primary node for the configuration synchronization:
-
Hi Viktor! Thanks for your response.
In HA configuration I'm not using admin user.
The user have "System - HA node sync" privileges.
It's a problem to pfBlockerNG sync?
Best regards! -
@MerinF01 said in pfBlockerNG installation in 2 pfSense HA and CARP:
Hi Viktor! Thanks for your response.
In HA configuration I'm not using admin user.
The user have "System - HA node sync" privileges.
It's a problem to pfBlockerNG sync?
Best regards!Of course, you can use a user with "System - HA node sync" privileges.
-
Only one question more :-) (sorry!)
I see 2 installation packages:
pfBlockerNG (2.1.4_22 version)
pfBlockerNG-devel (2.2.5_32 version)
Which one should I install in pfSense 2.4.4? What is the difference between the two?
Best regards! -
@MerinF01 pfBlockerNG-devel contains the most recent changes
Also update pfSense to the latest version 2.4.5-p1:
https://www.netgate.com/blog/pfsense-2-4-5-release-p1-now-available.html -
Thanks for all Viktor.
Then I will install pfBlockerNG-devel but at the moment I will not update to version 2.4.5
I'm implementing a new infrastructure and installed 2.4.5 twice (VMs on Hyper-V environment).I have had serious problems with version 2.4.5 (CPU 100%, lose net packages, etc.) and I have had to finally opt for version 2.4.4 that is working fine.
I appreciate all the help you have given me.
Best regards! -
@MerinF01 said in pfBlockerNG installation in 2 pfSense HA and CARP:
Thanks for all Viktor.
Then I will install pfBlockerNG-devel but at the moment I will not update to version 2.4.5
I'm implementing a new infrastructure and installed 2.4.5 twice (VMs on Hyper-V environment).I have had serious problems with version 2.4.5 (CPU 100%, lose net packages, etc.) and I have had to finally opt for version 2.4.4 that is working fine.
I appreciate all the help you have given me.
Best regards!This issue is fixed in 2.4.5-p1:
pfSense software release version 2.4.5-p1 addresses several security issues:
Addressed an issue with large pf tables causing system instability and high CPU usage during filter reload events on some multi-CPU platforms (e.g. Hyper-V, Proxmox, some bare metal systems)
See full list of changes https://docs.netgate.com/pfsense/en/latest/releases/2-4-5-p1-new-features-and-changes.html
-
@MerinF01 said in pfBlockerNG installation in 2 pfSense HA and CARP:
I will install pfBlockerNG-devel but at the moment I will not update to version 2.4.5
Don't do that, upgrade pfSense first! Otherwise you will install packages meant for the latest version, and they might try to install other requirements like a newer version of PHP.
-
@MerinF01 Actually you can work around that also, in System/Update/Update Settings, they have left "previous stable version" as an option so you can pull packages from 2.4.4.
-
Ok! then i install the old version of pfBlockerNG, correct? At the moment I prefer not to update pfSense. With the previous version of pfBlockerNG for 2.4.4 no problem right?
-
@MerinF01 Right, if you set the update settings to use the previous stable version, the package manager will show you the packages for 2.4.4.