New IPs for sync interface



  • I need to change the IP addresses i have assigned to the sync interface between two HA setup boxes. What is the correct way to do this without downtime ?

    I'm assuming

    Disable System / High Availability Sync on master.
    change network on both machines
    change config on master to point to new slave ip address.
    enable the sync again.

    I have read that carp uses the interfaces it's running on to communicate so this should mean I don't end up with both machines claiming they own the CARP address right ?


  • Rebel Alliance Developer Netgate

    The method you describe should be OK. You don't even need to disable sync if you are OK with clearing the GUI errors after, if you have any.

    I'd do it this way:

    • Change SYNC interface address on the secondary
    • Change pfsync address on the secondary's HA Settings
    • Change SYNC interface address on the primary
    • Change XMLRPC and pfsync address on the primary's HA settings
    • If you have any sync failure errors on the primary, clear them and force a new sync to be sure it's working properly.

    None of that should have any effect on your CARP traffic, which would be on all your other interfaces and not the sync interface.



  • Will do you list instead :-)

    Was also going to upgrade these boxes from 2.1.2 to the latest version but i'm a bit confused about it. I was used to doing

    • remove all packages
    • updating the slave first
    • disable carp on master
    • leave slave to run for a while to make sure its working
    • Update master

    But reading an older copy of the pfsense book its saying that updating the master can be preferred as it will sync changes to the slave and you don't want old config being replicated to new versions. What is the correct steps for this ?


  • Rebel Alliance Developer Netgate

    The correct steps today do not apply to a version that old. You will want to upgrade the primary first to avoid sync breaking the config on the secondary.

    Once you are on a current version, then there are much better update procedures for modern versions.



  • Found the relevant docs for this https://doc.pfsense.org/index.php/Redundant_Firewalls_Upgrade_Guide and it does indeed say for anything before 2.2.5 upgrade the master first.

    thanks for the help


Log in to reply