Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Some doubts configuring High Availability in pfSense 2.4.4.

    HA/CARP/VIPs
    3
    6
    159
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ramses.sevilla last edited by ramses.sevilla

      Hi everybody.

      I have a pfSense 2.3 system in production and I want to mount a high availability system with the same configuration.

      I have read the documentation (https://docs.netgate.com/pfsense/en/latest/highavailability/configuring-high-availability.html) and I have some doubts:

      • About the "XMLRPC Sync", the documentation says:
      The configuration synchronization settings should only be enabled on the primary cluster node.
      

      If I only enable XMLRPC Sync, when the primary node crash, the second node assumes the master roll and if I modify the configuration, when the second node is the master, if the primary node go up again, the changes that I did in the configuration when the second node had the master roll will be loss, isn't it?

      • About the "Setup Manual Outbound NAT", the documentation says:
      Edit the automatically added rule for LAN
      
       Select a shared CARP virtual IP address on WAN as the Translation address
      
       Change the Description to refer to the rule’s use of the CARP VIP if desired
      
       Click Save
      
       Repeat the rule edit for additional rules
      
       Click Apply changes
      

      I have four WAN interfaces and I have configured some IPSec VPN with NAT that have added a lot of NAT Outbound rules automatically. Need I modify all these rules and to change the "Translation > Address: Interface Address" by "Translation > Address: <CARP WANx Address>" in all NAT Outbound rules?

      I also have configured two OpenVPN Servers. I need change the "Interface: <WANx Interface>" field in each server by "Interface: <CARP WANx Interface>", isn't it?

      • How long does it take to replicate a change made?

      Regards,

      Ramsés

      jimp 1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by Derelict

        @ramses-sevilla said in Some doubts configuring High Availability in pfSense 2.4.4.:

        I have a pfSense 2.3 system in production

        Step 1: Upgrade.

        There is no step 2 until you do that.

        https://docs.netgate.com/pfsense/en/latest/solutions/reference/highavailability/index.html

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        R 1 Reply Last reply Reply Quote 0
        • R
          ramses.sevilla @Derelict last edited by

          @Derelict , thanks by your answer.

          I am thinking, and I am testing with VM's with pfSense 2.4.4 on PROXMOX:

          • To mount two new Servers with the latest pfSense version.

          • To export the configuration of the pfSense 2.3 in production and to import this configuration in the new Servers.

          • To do the step 2 later.

          Because that, I have these doubts and ask to the members list.

          Regards,

          Ramses

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate @ramses.sevilla last edited by

            @ramses-sevilla said in Some doubts configuring High Availability in pfSense 2.4.4.:

            the second node assumes the master roll and if I modify the configuration

            You never modify the secondary in areas that sync via XMLRPC. Ever. The changes will never make it back to the primary node and will be lost when the primary synchronizes.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • R
              ramses.sevilla last edited by

              @jimp thaks by your answer.

              Well, then, if the primary node crash I can't modify the config until repare the primary node and be up, isn't it?

              Is there no other way to mount the cluster to avoid this problem?

              Best regards

              1 Reply Last reply Reply Quote 0
              • jimp
                jimp Rebel Alliance Developer Netgate last edited by

                @ramses-sevilla said in Some doubts configuring High Availability in pfSense 2.4.4.:

                Well, then, if the primary node crash I can't modify the config until repare the primary node and be up, isn't it?

                Correct. The only thing you should be worrying about when the primary is down is fixing the primary. You could keep a record of changes and then make them again once the primary is online, but there is no way to feed those back to the repaired primary automatically.

                Is there no other way to mount the cluster to avoid this problem?

                Nothing easy. You could completely change the secondary config so it becomes a new primary, but then you couldn't just turn the old primary back on, you'd have to reconfigure it as the new secondary. That's a significant amount of work, though (changing sync settings, manually adjusting IP addresses, VIPs, etc)

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post