Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HA SYNC Question

    HA/CARP/VIPs
    4
    12
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SteveITS Rebel Alliance
      last edited by SteveITS

      We just plug them together with a patch cable also. Plus that way if the switch in the middle fails the backup router won't try to become master Having a switch in the middle is an unnecessary point of failure.

      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
      Upvote ๐Ÿ‘ helpful posts!

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by Derelict

        Plus that way if the switch in the middle fails the backup router won't try to become master.

        The SYNC interface has no bearing on who is master and who isn't. There aren't CARP VIPs on it so it doesn't factor into that decision.

        See the sticky I wrote on all of this up there in the category ^.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        S 1 Reply Last reply Reply Quote 0
        • S
          SteveITS Rebel Alliance @Derelict
          last edited by

          @derelict said in HA SYNC Question:

          he SYNC interface has no bearing on who is master

          d'oh! of course not sure what I was thinking. Still, we just use a patch cable as it is still one less thing to fail. :)

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote ๐Ÿ‘ helpful posts!

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            So do I. ;)

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            X 1 Reply Last reply Reply Quote 0
            • X
              xlameee @Derelict
              last edited by

              @derelict it is not about failing it more about security Of what I know HA is syncing with none encrypted traffic and all of that traffic flowing around my core switch it is not a good idea

              Thank you

              S 1 Reply Last reply Reply Quote 0
              • S
                SteveITS Rebel Alliance @xlameee
                last edited by

                @xlameee In general even an unmanaged switch should only be sending traffic to the correct ports so unless someone's spoofing IPs (while guessing your sync subnet) or spoofing the routers' MAC addresses I'm not sure it's really much of an issue...and if they are doing that then there are other issues on your network ๐Ÿ˜€. A direct patch cable connection would remove any concern.

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote ๐Ÿ‘ helpful posts!

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  I might be foolish but I trust VLANs.

                  The states that are represented by the pfsync traffic are running around in your switch already.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • X
                    xlameee
                    last edited by xlameee

                    Hello

                    I just setup direct attached line for SYNC interface and I am getting this error

                    Communications error occurred

                    A communications error occurred while attempting to call XMLRPC method host_firmware_version: Unable to connect to tls://10.250.0.3:443. Error: Operation timed out @ 2019-01-03 07:49:15

                    any idea Why?

                    The card I've installed on both nodes is Chelsio CC2-N320E-SR I dedicated 1 link to each node (cxgb0) to pfSync

                    Interface name : HA_SYNC
                    NODE 1 : IP 10.250.0.2/28
                    NODE 2 : IP 10.250.0.3/28

                    All I did was to change System/High Avail.Sync

                    Synchronize interface to HA_SYNC
                    NODE 1
                    pfsync Synchronize Peer IP : 10.250.0.3
                    Synchronize Config to IP : 10.250.0.3
                    NODE 2
                    pfsync Synchronize Peer IP : 10.250.0.2

                    Then I stopped the DHCP Service on both nodes and started first the Master

                    1 Reply Last reply Reply Quote 0
                    • X
                      xlameee
                      last edited by

                      OK Never mind I solved it

                      I had to add manually rule ANY ANY on the BACKUP node in order to sync
                      actually I added IPv4 Protocol ANY - HA_SYNC to HA_SYNC any port

                      Thank you

                      I am not sure if this is the best to go but I will increase the MTU to 9000 and see if all goes well :)

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        I am not sure if this is the best to go but I will increase the MTU to 9000 and see if all goes well :)

                        That is the last thing I would do if I was in your position.

                        I would get everything working perfectly and leave jumbo frames out of the picture.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.