Issue with XMLRPC after adding a NAT rule

Reply to Issue with XMLRPC after adding a NAT rule on Thu, 14 Apr 2022 18:53:39 GMT

mattiav — Thu, 14 Apr 2022 18:53:39 GMT

@viragomann
i think it's that
https://forum.netgate.com/topic/150505/xmlrpc-restore_config_section-error

because my rule to NAT with CARP ip make the backup node not able to reach the gateway
so as it explain on that like you sent

Filter reload sees the down gateway and resets states, terminating the connection currently used for XMLRPC.

it make sense
Thanks you very much, i think you resolve my issue :)

Reply to Issue with XMLRPC after adding a NAT rule on Thu, 14 Apr 2022 18:24:25 GMT

viragomann — Thu, 14 Apr 2022 18:24:25 GMT

@mattiav
So that's sadly not more than you've already stated above.
There is no hint, what went wrong.

Maybe something on the secondary?

Or maybe this: https://forum.netgate.com/topic/150505/xmlrpc-restore_config_section-error

Reply to Issue with XMLRPC after adding a NAT rule on Thu, 14 Apr 2022 18:02:40 GMT

mattiav — Thu, 14 Apr 2022 18:02:40 GMT

@viragomann
If i add destination port on my NAT rule, the error is not appearing anymore

i checked the interface orders, and they are the same on both nodes

Here the logs on node 1 when i have the error

and here the logs on node1 when there is no errors

thanks again :)

Reply to Issue with XMLRPC after adding a NAT rule on Thu, 14 Apr 2022 17:33:47 GMT

viragomann — Thu, 14 Apr 2022 17:33:47 GMT

@mattiav
No. So the error is also appearing, when you specify a destination port or address?
Maybe something else to see in the system log?

Possibly there are the interface orders different on both nodes? Check Status > interfaces for accordance of all interfaces.

Reply to Issue with XMLRPC after adding a NAT rule on Thu, 14 Apr 2022 17:03:32 GMT

mattiav — Thu, 14 Apr 2022 17:03:32 GMT

@viragomann
Thanks for your answer,
No i don't sync over WAN, i have a dedicated interface on each node
here the conf of the first node

the .106 ip is the backup node sync interface

here the conf of the backup node

For you tips for CARP VIP as translation address for pfSense itself, i will reduce it to only the destination port i need.
But i still don't understand why that rule affect the sync, and you?
Thanks

Reply to Issue with XMLRPC after adding a NAT rule on Thu, 14 Apr 2022 13:34:55 GMT

viragomann — Thu, 14 Apr 2022 13:34:55 GMT

@mattiav said in Issue with XMLRPC after adding a NAT rule:

A communications error occurred while attempting to call XMLRPC method restore_config_section: Request timed out due to default_socket_timeout php.ini setting

Do you sync over WAN? Otherwise it's not clear to me, why you get this error.

But anyway, setting the CARP VIP as translation address for pfSense itself, is a very bad idea at all. At least, when you sync this rule to the secondary.

This would result in both nodes trying to use the CARP VIP for outbound traffic. But this is occupied by the master, hence any outbound connection from the secondary will fail.