Sync secondary to primary firewall?
-
Bit of a strange one for you all.
I have started a new job which has 2x pfSense firewalls in HA.
For some reason when they were initially installed only State Sync was setup, not Configuration Sync.Stranger still, all changes were made on the secondary firewall so now all sub interfaces/DHCP pools/traffic shapers/rules are configured on the secondary firewall and not showing on the primary firewall.
Will turning Configuration Sync on from the secondary firewall, to the primary firewall break anything?
My thinking is, so long as I continue making the changes on the secondary it won't cause any issues ... but want to check with the experts before pulling the trigger!
-
Is the primary still not set to sync to the secondary? You don't want them both set to sync.
So they are not using any of the configured stuff right now? (is the office actually using the secondary as Master?)
An alt option would be to copy everything out of the config.xml file and paste it into the primary's file then restore that to the primary.
-
All of the sub interfaces per VLAN, DHCP pools, rules etc are all setup on the secondary firewall. Because there is currently no config sync setup, they are only visible (and working) on the secondary firewall.
I will take a look at the xml files.
Because its a production environment, and I am new to pfsense, it has given me the fear!
-
Syncing the config that way I don't think would break anything. You can actually select what things to sync via the checkboxes on the HA sync configuration page. Just make sure the primary isn't set to sync to the secondary (only go one direction). After the sync that direction, and all is set up correctly, disable sync on the secondary and set the primary to sync to the secondary. Then only make config changes on the primary from then on (connect to its LAN IP, not the shared LAN IP).
I've not tried a sync/failover setup with DHCP but there is a page on it.
-
@steveits Thanks. I have read more into it and the interfaces that are in use are not even setup as CARP/Virtual IPs, just setup as an interface on the secondary firewall. Looks like I need to put more time into it and come up with config from fresh that I am comfortable with.
-
@proton12 Theoretically: if there's NO config sync configured on both nodes in the HA settings but ONLY state sync (on both I hope?) to each other, then technically there's no real "primary/secondary" now until you have CARP style Virtual IPs that show as "backup" on that node. From your description I somehow doubt that, so in theory there is only state syncing in play and no roles (primary/secondary) as there's no CARP set up?
-
@jegr Correct, it appears that pfsync/state sync was configured originally but they missed out the config sync. After that, all changes/additions were made on the secondary firewall for some reason.
Looking at it today, there are 5 virtual IPs/CARP IPs setup already but the secondary firewall has been put into "Persistent CARP Maintenance Mode" at some point too.