XMLRPC one to many sync



  • I have 6 pfsense boxes with identical hardware that will be deployed in different locations. All of the routers can speak to each other via OpenVPN with no issues via a hub & spoke setup. I would like to be able to mirror changes to Firewall Aliases, Firewall Rules, and DNS Resolver configs from the first router to the other 5 routers, is there any way to do this currently with pfSesnse? I know I can use the XMLRCP sync from one router to another, but would prefer not to have to daisy chain the syncs down the line in case there is a failure with one of the devices down the line.



  • I don't have a solution to achieve this, but I'd like to +1 interest in this functionality.

    Squid/Squidguard seem to allow it, just not the system xmlrpc/pfsync.


  • Rebel Alliance Developer Netgate

    There is no way to do this currently. Chaining them is the only way. Though in reality it's not quite so simple. The odds are very, very low that the aliases/rules/etc would be 100% identical on all systems and syncing this way would clobber anything custom on each site.



  • did you try to send the updates from the master-box to the Slaves via Broadcast-Address  ?

    https://en.wikipedia.org/wiki/Broadcast_address

    just an idea - but worth to be tested ;)


  • Rebel Alliance Developer Netgate

    If it were UDP or another stateless protocol, perhaps, but TCP doesn't work that way. TCP is unicast only.



  • ok - when it's TCP, then maybe Multicast would work ?

    https://en.wikipedia.org/wiki/Multicast

    "IP multicast is a technique for one-to-many communication over an IP infrastructure in a network. The destination nodes send join and leave messages, for example in the case of Internet television when the user changes from one TV channel to another. IP multicast scales to a larger receiver population by not requiring prior knowledge of who or how many receivers there are"

    sounds like UDP-broadcast with reliable Transport-Layer


  • Rebel Alliance Developer Netgate

    It is TCP now. TCP is unicast only. That won't work. I doubt it will be converted to anything that would support Multicast or broadcast, it's not meant to work that way.

    Eventually there will be a central management system that will make those kinds of hacks completely unnecessary.