Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Sync secondary to primary firewall?

    HA/CARP/VIPs
    3
    7
    692
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Proton12 last edited by Proton12

      Bit of a strange one for you all.

      I have started a new job which has 2x pfSense firewalls in HA.
      For some reason when they were initially installed only State Sync was setup, not Configuration Sync.

      Stranger still, all changes were made on the secondary firewall so now all sub interfaces/DHCP pools/traffic shapers/rules are configured on the secondary firewall and not showing on the primary firewall.

      Will turning Configuration Sync on from the secondary firewall, to the primary firewall break anything?

      My thinking is, so long as I continue making the changes on the secondary it won't cause any issues ... but want to check with the experts before pulling the trigger!

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS @Proton12 last edited by

        Is the primary still not set to sync to the secondary? You don't want them both set to sync.

        So they are not using any of the configured stuff right now? (is the office actually using the secondary as Master?)

        An alt option would be to copy everything out of the config.xml file and paste it into the primary's file then restore that to the primary.

        Steve

        Only install packages for your version, or risk breaking it. If yours is older, select it in System/Update/Update Settings.
        When upgrading, let it finish; do not reboot early. Allow 10-15 minutes, or more depending on packages and device speed.

        P 1 Reply Last reply Reply Quote 0
        • P
          Proton12 @SteveITS last edited by

          @steveits

          All of the sub interfaces per VLAN, DHCP pools, rules etc are all setup on the secondary firewall. Because there is currently no config sync setup, they are only visible (and working) on the secondary firewall.

          I will take a look at the xml files.

          Because its a production environment, and I am new to pfsense, it has given me the fear!

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS @Proton12 last edited by

            Syncing the config that way I don't think would break anything. You can actually select what things to sync via the checkboxes on the HA sync configuration page. Just make sure the primary isn't set to sync to the secondary (only go one direction). After the sync that direction, and all is set up correctly, disable sync on the secondary and set the primary to sync to the secondary. Then only make config changes on the primary from then on (connect to its LAN IP, not the shared LAN IP).

            I've not tried a sync/failover setup with DHCP but there is a page on it.

            Steve

            Only install packages for your version, or risk breaking it. If yours is older, select it in System/Update/Update Settings.
            When upgrading, let it finish; do not reboot early. Allow 10-15 minutes, or more depending on packages and device speed.

            P 1 Reply Last reply Reply Quote 0
            • P
              Proton12 @SteveITS last edited by

              @steveits Thanks. I have read more into it and the interfaces that are in use are not even setup as CARP/Virtual IPs, just setup as an interface on the secondary firewall. Looks like I need to put more time into it and come up with config from fresh that I am comfortable with.

              JeGr 1 Reply Last reply Reply Quote 0
              • JeGr
                JeGr LAYER 8 Moderator @Proton12 last edited by

                @proton12 Theoretically: if there's NO config sync configured on both nodes in the HA settings but ONLY state sync (on both I hope?) to each other, then technically there's no real "primary/secondary" now until you have CARP style Virtual IPs that show as "backup" on that node. From your description I somehow doubt that, so in theory there is only state syncing in play and no roles (primary/secondary) as there's no CARP set up?

                Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                P 1 Reply Last reply Reply Quote 0
                • P
                  Proton12 @JeGr last edited by

                  @jegr Correct, it appears that pfsync/state sync was configured originally but they missed out the config sync. After that, all changes/additions were made on the secondary firewall for some reason.

                  Looking at it today, there are 5 virtual IPs/CARP IPs setup already but the secondary firewall has been put into "Persistent CARP Maintenance Mode" at some point too.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post