HA settings do not sync until you hit 'save' on the webUI



  • I'm deploying 2 preconfigured instances of pfsense on my datacenter with Ansible. For this I'm generating 2 config.xml files - one for the master and a different one for the slave - and preloading them on each instance /cf/config/ directory.

    On master's config I'm filling all the HA settings as I would on the web UI:

    	<hasync>
    		<pfsyncenabled>on</pfsyncenabled>
    		<pfsyncpeerip>192.168.200.2</pfsyncpeerip>
    		<pfsyncinterface>opt1</pfsyncinterface>
    		<synchronizetoip>192.168.200.2</synchronizetoip>
    		<username>admin</username>
    		<password>pass</password>
    		<synchronizeusers>on</synchronizeusers>
    		<synchronizeauthservers>on</synchronizeauthservers>
    		<synchronizecerts>on</synchronizecerts>
    		<synchronizerules>on</synchronizerules>
    		<synchronizeschedules>on</synchronizeschedules>
    		<synchronizealiases>on</synchronizealiases>
    		<synchronizenat>on</synchronizenat>
    		<synchronizeipsec>on</synchronizeipsec>
    		<synchronizeopenvpn>on</synchronizeopenvpn>
    		<synchronizedhcpd>on</synchronizedhcpd>
    		<synchronizewol>on</synchronizewol>
    		<synchronizestaticroutes>on</synchronizestaticroutes>
    		<synchronizelb>on</synchronizelb>
    		<synchronizevirtualip>on</synchronizevirtualip>
    		<synchronizetrafficshaper>on</synchronizetrafficshaper>
    		<synchronizetrafficshaperlimiter>on</synchronizetrafficshaperlimiter>
    		<synchronizednsforwarder>on</synchronizednsforwarder>
    		<synchronizecaptiveportal>on</synchronizecaptiveportal>
    	</hasync>
    

    ... and once both instances are up and running I can verify these settings have been applied:

    0_1549898061414_b10bbead-2e66-46fd-b72b-89fdefc7d80c-image.png

    However, if I navigate to /status_carp.php on the secondary node, no CARP interfaces appear. And it's not until I press the 'SAVE' button on master's /system_hasync.php when both instances synchronize and start operating under HA terms.

    My question is, is there a way to avoid this manual step? Can I just run a pfctl command to indicate the master node to start syncing its settings?


  • Rebel Alliance Developer Netgate

    Not exactly. If the config on the secondary has the right info, then a reboot should activate it all.

    You could maybe run /etc/rc.filter_synchronize from the primary to kick it in but that still requires taking an action on the primary.

    There is likely a way to initialize everything by hand but it's undoubtedly more complicated and less efficient than triggering a sync or a reboot.

    It's also possible that your secondary node config is not complete, and the config sync copies over something your base config on the secondary is missing.



  • Hey @jimp, thanks for your answer!

    In the secondary I'm injecting what I believe are the only required (counterpart/secondary) HA settings:

    0_1549965184651_Screenshot 2019-02-12 at 10.51.54.png

    Are these sufficient? The only changes I can see after hitting sync on the webUI are:

    • Replacing the bcrypt-hashes for those in the master. This might be important?
    • Removing ipsec, aliases, wol and openvpn, empty fields.
    • Adding all the vips as they're defined in the master.

    Also tried rebooting them both (it's actually one of the steps I defined for the deploy process to catch up with the synthetic config) but no luck.

    However, as you point out, running rc.filter_synchronize did work for me - I can just include it as an additional action over SSH for the master node. Nice! Was looking for something just like that.


Log in to reply