Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Sync secondary to primary firewall?

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    7 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Proton12
      last edited by Proton12

      Bit of a strange one for you all.

      I have started a new job which has 2x pfSense firewalls in HA.
      For some reason when they were initially installed only State Sync was setup, not Configuration Sync.

      Stranger still, all changes were made on the secondary firewall so now all sub interfaces/DHCP pools/traffic shapers/rules are configured on the secondary firewall and not showing on the primary firewall.

      Will turning Configuration Sync on from the secondary firewall, to the primary firewall break anything?

      My thinking is, so long as I continue making the changes on the secondary it won't cause any issues ... but want to check with the experts before pulling the trigger!

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @Proton12
        last edited by

        Is the primary still not set to sync to the secondary? You don't want them both set to sync.

        So they are not using any of the configured stuff right now? (is the office actually using the secondary as Master?)

        An alt option would be to copy everything out of the config.xml file and paste it into the primary's file then restore that to the primary.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote ๐Ÿ‘ helpful posts!

        P 1 Reply Last reply Reply Quote 0
        • P
          Proton12 @SteveITS
          last edited by

          @steveits

          All of the sub interfaces per VLAN, DHCP pools, rules etc are all setup on the secondary firewall. Because there is currently no config sync setup, they are only visible (and working) on the secondary firewall.

          I will take a look at the xml files.

          Because its a production environment, and I am new to pfsense, it has given me the fear!

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @Proton12
            last edited by

            Syncing the config that way I don't think would break anything. You can actually select what things to sync via the checkboxes on the HA sync configuration page. Just make sure the primary isn't set to sync to the secondary (only go one direction). After the sync that direction, and all is set up correctly, disable sync on the secondary and set the primary to sync to the secondary. Then only make config changes on the primary from then on (connect to its LAN IP, not the shared LAN IP).

            I've not tried a sync/failover setup with DHCP but there is a page on it.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote ๐Ÿ‘ helpful posts!

            P 1 Reply Last reply Reply Quote 0
            • P
              Proton12 @SteveITS
              last edited by

              @steveits Thanks. I have read more into it and the interfaces that are in use are not even setup as CARP/Virtual IPs, just setup as an interface on the secondary firewall. Looks like I need to put more time into it and come up with config from fresh that I am comfortable with.

              JeGrJ 1 Reply Last reply Reply Quote 0
              • JeGrJ
                JeGr LAYER 8 Moderator @Proton12
                last edited by

                @proton12 Theoretically: if there's NO config sync configured on both nodes in the HA settings but ONLY state sync (on both I hope?) to each other, then technically there's no real "primary/secondary" now until you have CARP style Virtual IPs that show as "backup" on that node. From your description I somehow doubt that, so in theory there is only state syncing in play and no roles (primary/secondary) as there's no CARP set up?

                Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                P 1 Reply Last reply Reply Quote 0
                • P
                  Proton12 @JeGr
                  last edited by

                  @jegr Correct, it appears that pfsync/state sync was configured originally but they missed out the config sync. After that, all changes/additions were made on the secondary firewall for some reason.

                  Looking at it today, there are 5 virtual IPs/CARP IPs setup already but the secondary firewall has been put into "Persistent CARP Maintenance Mode" at some point too.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.