Some doubts configuring High Availability in pfSense 2.4.4.



  • Hi everybody.

    I have a pfSense 2.3 system in production and I want to mount a high availability system with the same configuration.

    I have read the documentation (https://docs.netgate.com/pfsense/en/latest/highavailability/configuring-high-availability.html) and I have some doubts:

    • About the "XMLRPC Sync", the documentation says:
    The configuration synchronization settings should only be enabled on the primary cluster node.
    

    If I only enable XMLRPC Sync, when the primary node crash, the second node assumes the master roll and if I modify the configuration, when the second node is the master, if the primary node go up again, the changes that I did in the configuration when the second node had the master roll will be loss, isn't it?

    • About the "Setup Manual Outbound NAT", the documentation says:
    Edit the automatically added rule for LAN
    
     Select a shared CARP virtual IP address on WAN as the Translation address
    
     Change the Description to refer to the rule’s use of the CARP VIP if desired
    
     Click Save
    
     Repeat the rule edit for additional rules
    
     Click Apply changes
    

    I have four WAN interfaces and I have configured some IPSec VPN with NAT that have added a lot of NAT Outbound rules automatically. Need I modify all these rules and to change the "Translation > Address: Interface Address" by "Translation > Address: <CARP WANx Address>" in all NAT Outbound rules?

    I also have configured two OpenVPN Servers. I need change the "Interface: <WANx Interface>" field in each server by "Interface: <CARP WANx Interface>", isn't it?

    • How long does it take to replicate a change made?

    Regards,

    Ramsés


  • LAYER 8 Netgate

    @ramses-sevilla said in Some doubts configuring High Availability in pfSense 2.4.4.:

    I have a pfSense 2.3 system in production

    Step 1: Upgrade.

    There is no step 2 until you do that.

    https://docs.netgate.com/pfsense/en/latest/solutions/reference/highavailability/index.html



  • @Derelict , thanks by your answer.

    I am thinking, and I am testing with VM's with pfSense 2.4.4 on PROXMOX:

    • To mount two new Servers with the latest pfSense version.

    • To export the configuration of the pfSense 2.3 in production and to import this configuration in the new Servers.

    • To do the step 2 later.

    Because that, I have these doubts and ask to the members list.

    Regards,

    Ramses


  • Rebel Alliance Developer Netgate

    @ramses-sevilla said in Some doubts configuring High Availability in pfSense 2.4.4.:

    the second node assumes the master roll and if I modify the configuration

    You never modify the secondary in areas that sync via XMLRPC. Ever. The changes will never make it back to the primary node and will be lost when the primary synchronizes.



  • @jimp thaks by your answer.

    Well, then, if the primary node crash I can't modify the config until repare the primary node and be up, isn't it?

    Is there no other way to mount the cluster to avoid this problem?

    Best regards


  • Rebel Alliance Developer Netgate

    @ramses-sevilla said in Some doubts configuring High Availability in pfSense 2.4.4.:

    Well, then, if the primary node crash I can't modify the config until repare the primary node and be up, isn't it?

    Correct. The only thing you should be worrying about when the primary is down is fixing the primary. You could keep a record of changes and then make them again once the primary is online, but there is no way to feed those back to the repaired primary automatically.

    Is there no other way to mount the cluster to avoid this problem?

    Nothing easy. You could completely change the secondary config so it becomes a new primary, but then you couldn't just turn the old primary back on, you'd have to reconfigure it as the new secondary. That's a significant amount of work, though (changing sync settings, manually adjusting IP addresses, VIPs, etc)


Log in to reply