Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New IPs for sync interface

    HA/CARP/VIPs
    2
    5
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jeffsmith82
      last edited by

      I need to change the IP addresses i have assigned to the sync interface between two HA setup boxes. What is the correct way to do this without downtime ?

      I'm assuming

      Disable System / High Availability Sync on master.
      change network on both machines
      change config on master to point to new slave ip address.
      enable the sync again.

      I have read that carp uses the interfaces it's running on to communicate so this should mean I don't end up with both machines claiming they own the CARP address right ?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The method you describe should be OK. You don't even need to disable sync if you are OK with clearing the GUI errors after, if you have any.

        I'd do it this way:

        • Change SYNC interface address on the secondary
        • Change pfsync address on the secondary's HA Settings
        • Change SYNC interface address on the primary
        • Change XMLRPC and pfsync address on the primary's HA settings
        • If you have any sync failure errors on the primary, clear them and force a new sync to be sure it's working properly.

        None of that should have any effect on your CARP traffic, which would be on all your other interfaces and not the sync interface.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • J
          jeffsmith82
          last edited by

          Will do you list instead :-)

          Was also going to upgrade these boxes from 2.1.2 to the latest version but i'm a bit confused about it. I was used to doing

          • remove all packages
          • updating the slave first
          • disable carp on master
          • leave slave to run for a while to make sure its working
          • Update master

          But reading an older copy of the pfsense book its saying that updating the master can be preferred as it will sync changes to the slave and you don't want old config being replicated to new versions. What is the correct steps for this ?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            The correct steps today do not apply to a version that old. You will want to upgrade the primary first to avoid sync breaking the config on the secondary.

            Once you are on a current version, then there are much better update procedures for modern versions.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • J
              jeffsmith82
              last edited by

              Found the relevant docs for this https://doc.pfsense.org/index.php/Redundant_Firewalls_Upgrade_Guide and it does indeed say for anything before 2.2.5 upgrade the master first.

              thanks for the help

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.