CARP - First pfSync removes firewall rule for pfsync interface on secondary node

  • Hi

    I recently exchanged hardware on one of our pfSense clusters. I had to remove a 4x1Gbit NIC and replaced it with a 2x40Gbit NIC. As a result I had to change some VLAN settings / interface definitions in the config.xml directly to get access to the firewall again.

    Everything works well so far, Master/Backup for the different VIPs and so on.

    My pfSync interface has changed too due to the NIC restructuring. The connection between master and slave node is available, but the first "Sync" operation seems to remove the firewall rule on the current backup node that allows pfSync. I can re-create the rule and wait till next pfSync to happen, everything is synced but the rule is deleted again. Not really satisfying. Any idea what might be missing here?

    Best regards

  • Rebel Alliance Developer Netgate

    If that happens, then your interface assignment order no longer matches. The order of interfaces must be identical on both units.

  • Well, the order is the same on both units. I checked everything so that it complies with the requirements before posting here…and I just checked again. Interfaces, LAGGs and VLans have all the same order. Really strange.

  • Rebel Alliance Developer Netgate

    That may appear to be the case but the internal names must not line up. Check their internal names (e.g. opt1, opt2, etc)

  • Ahhh, Ok. That was quite tricky to find because the names are not really visible anymore in the Web Interface, except for the link below. But I checked in the config.xml again.
    Is there any way of changing the internal names from the web interface? Or do I have to change the config.xml, or even something else?

    Many thanks for the hint!

  • Rebel Alliance Developer Netgate

    Editing the XML would be the only viable way to shift them

Log in to reply