pfBlocker and High Availability CARP working?

iorx

HI!

I've found very little on this subject. Have a working High avail running and on my way to install pfBlocker.
As said, not much found when searching on the topic (or my google-fu and search keywords was of).

Any problem implementing this?
Should I go for devel or stable?

Brgs,

BBcan177

@iorx

Devel has changes to DNSBL/HA sync.

There is a beta option in the DNSBL Tab, so if you want to test that out would be appreciated.

iorx

OK.

To risky to try out at a small customer of mine? Any particular feature to stay away from?

talaverde

I've configured the pfBlockerNG CARP/XMLRPC Sync configuration. As far as I can tell, it's working. However, without any documentation, I can be sure what all should be synchronizing. The main page syncs. If I enable/disable pfB, or if I change the log count(s), However, the selected feeds or feed configurations do not sync. Based on that, I'm sure the updates don't sync either. I'm very happy and grateful that this feature is being developed. However, as it is, it's not very useful. I have to check each setting on both node as I can be 100% sure the settings will sync (aside from the main page).

If it's possible to provide some sort of documentation on the details of this feature and/or enable this sync in more areas of pfB, that would be great.

Thanks!

BBcan177

@talaverde said in pfBlocker and High Availability CARP working?:

I've configured the pfBlockerNG CARP/XMLRPC Sync configuration. As far as I can tell, it's working. However, without any documentation, I can be sure what all should be synchronizing. The main page syncs. If I enable/disable pfB, or if I change the log count(s), However, the selected feeds or feed configurations do not sync. Based on that, I'm sure the updates don't sync either. I'm very happy and grateful that this feature is being developed. However, as it is, it's not very useful. I have to check each setting on both node as I can be 100% sure the settings will sync (aside from the main page).
If it's possible to provide some sort of documentation on the details of this feature and/or enable this sync in more areas of pfB, that would be great.

The HA Sync above is something different than XMLRPC sync.

When you use the Sync tab, it will push all your settings to the sync'd hosts. It won't push the downloaded feeds etc.

There is an option to bypass the sync of the General and DNSBL Tab. The next release will also add the IP tab to the list of optional tabs to sync.

The code for the config settings to be sync'd is here:
https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG-devel/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L7976-L8022

talaverde

Cool. Thanks for that...

While I'm tech savvy and and know quite a bit about the general configuration of pfSense, I haven't learned how to install code like this. Can you point me to a thread, link, KB, or hint on how to load this? If not available, can you give me a general outline? With some basic steps, I can, likely, figure it out.

My guess... upload a file with this code and run it (after a backup). I just need some guidance on the file name and a bit more detail on the steps would make me feel more confident with changing my firewall.

Thanks again.

BBcan177

@talaverde said in pfBlocker and High Availability CARP working?:

While I'm tech savvy and and know quite a bit about the general configuration of pfSense, I haven't learned how to install code like this. Can you point me to a thread, link, KB, or hint on how to load this? If not available, can you give me a general outline? With some basic steps, I can, likely, figure it out.
My guess... upload a file with this code and run it (after a backup). I just need some guidance on the file name and a bit more detail on the steps would make me feel more confident with changing my firewall.

You don't need to install that code. I am linking to the existing code which shows which parts of the configuration are being sync'd to the other hosts.

When you posted this question, I realized that one section of the code could be improved. And that these new changes will be included in the next release. This however, shouldn't impact your concerns.

talaverde

@bbcan177 said in pfBlocker and High Availability CARP working?:

When you posted this question, I realized that one section of the code could be improved. And that these new changes will be included in the next release. This howe

Ah, I get it now. Thanks.

JeGr

@bbcan177 said in pfBlocker and High Availability CARP working?:

When you use the Sync tab, it will push all your settings to the sync'd hosts. It won't push the downloaded feeds etc.

If I understand that correct that means all settings from the package are XMLRPC sync'ed to the standby node, but not the resulting files and lists. But as the standby should also have sync'ed the cron settings et al it should update those lists and settings on its own, shouldn't it?

As I'm about to configure pfBNG-devel to a cluster in a few hours, that one (or best practice) would be good to know ;)

Greets

BBcan177

@jegr said in pfBlocker and High Availability CARP working?:

If I understand that correct that means all settings from the package are XMLRPC sync'ed to the standby node, but not the resulting files and lists. But as the standby should also have sync'ed the cron settings et al it should update those lists and settings on its own, shouldn't it?
As I'm about to configure pfBNG-devel to a cluster in a few hours, that one (or best practice) would be good to know ;)

Yes exactly.

Also, in the DNSBL tab there is a new beta option for the DNSBL VIP for HA setups so that only the active system has the DNSBL VIP active. So that is the part that I'm looking to have tested.

JeGr

@bbcan177 said in pfBlocker and High Availability CARP working?:

So that is the part that I'm looking to have tested.

Will gladly do so and report findings.

talaverde

One thing I just observed that may be worth noting. The CARP Virtual IP for 'pfB DNSBL' kept changing it's VHID Group back to '1'. I have four virtual IPs. I tried to make it '4', but it would change back to 1 after a few moments. I finally gave in, leaving it at '1', then changing the other three to something else. Not a big deal, but might be worth investigating.

talaverde

I've noticed since the update, Sync / CARP is not working for pfB. I may have something configured wrong, but I can't get it to work anymore. I'm using the same settings as before.

A related question, How does the 'VIP Address Type' setting tie in with the 'Sync' tab. if CARP is selected, is that tab unused? Which is best? The CARP option is 'beta', so I suppose the sync tap is best, but how how the options compare?

At the moment, neither option works, so I think that's the first priority.

Thanks.

JeGr

@talaverde In my understanding Sync is exactly that - sync to peer. CARP is the setup of the needed DNSBL IP in a cluster scenario so the active node has the necessary IP available to rewrite DNSBL hits. It's not one or the other, it's both needed :)

talaverde

@jegr Gotcha. So, should I configure both nodes, each pointing to each other? With the main pfSense XMLRPC Sync, only the primary node is configured. Would this be the same with the pfB 'sync' tab? Or, as initially mentioned in this message, should I have both nodes configured to sync to each other? (I hope that makes sense). thanks.

JeGr

@talaverde said in pfBlocker and High Availability CARP working?:

@jegr Gotcha. So, should I configure both nodes, each pointing to each other? With the main pfSense XMLRPC Sync, only the primary node is configured. Would this be the same with the pfB 'sync' tab? Or, as initially mentioned in this message, should I have both nodes configured to sync to each other? (I hope that makes sense). thanks.

Aye, pfSense Sync is always Master to Standby not the other way round. There's only one case I'm aware (the top part of the HA sync - pfsync settings) that actually speaks with each other rather than master to standby. So configure pfBNG to replicate from master to standby node (use sync settings would be easiest) and the standby node should receive the configuration for the package :)