pfBlockerNG sync not working
-
Super glad I came across this post, been seeing the same thing (hadn't checked on it in a while since I hadn't made any changes, so luckily things on the secondary node are hardly out of sync), seems there is yet to be a fix? Have you found anything else out?
Also, weird question, but would you mind going to Status > DHCP Leases and seeing if you are getting "communications-interrupted" as the status under "My State" on either firewall? I believe this is a separate thing/issue with my setup (100% of all other syncing is working)
-
@planedrop also just adding @BBcan177 to this. I'm sure you're aware but wanted to be certain.
-
I found the bug (typo) and made a quick patch.
@BBcan177 already knows this and may apply it to the next release.Patch Contents:
--- a/pfblockerng.inc +++ b/pfblockerng.inc @@ -10823,7 +10823,7 @@ function pfb_remove_config_settings() { /* Uses XMLRPC to synchronize the changes to a remote node */ function pfblockerng_sync_on_changes() { // Create array of sync settings and exit if sync is disabled. - $pfb_sync = config_get_path('installedpackages/pfblockerngsyncd/config/0', []); + $pfb_sync = config_get_path('installedpackages/pfblockerngsync/config/0', []); if (!empty($pfb_sync)) { if ($pfb_sync['varsynconchanges'] == 'disabled' || empty($pfb_sync['varsynconchanges'])) { return;
Base Directory:
/usr/local/pkg/pfblockerng
[Addendum]
pfBlockerNG v3.2.0_6 and up: officially fixed (delete the patch, install/reinstall pfBlockerNG, update with force reload, restart pfSense)
pfBlockerNG-devel v3.2.0_7: officially not fixed (my recommendation to switch to the nondevel package) -
@juliokele Oh awesome, thanks so much for this!!
-
@juliokele Much appreciated, Was wondering what I'd done wrong and what logs to search until I found and applied this fix - fantastic
-
@juliokele said in pfBlockerNG sync not working:
/usr/local/pkg/pfblockerng
Great investigative work!
Thanks much!!!
-
Following up on this, seems an official patch came out on August 13th via package manager, however this patch doesn't seem to resolve the issue. I have an HA setup, which I've verified have the patch applied and I double checked the file for the typo, all is well, but sync still isn't working between the two.
-
@planedrop @juliokele
Manual patch works but only after reload on master, only saving will not sync. HA here with 23.05.1. Tested both options with "system backup" and "host defined"Great work, many thanks
-
@vavsaftoiu Interesting, I haven't used the manual patch, but from what I can see the manual patch is doing the exact thing that BBCan did for the official fix, so maybe I've got something else going wrong?
It does list HA Sync = done in the logs when doing a manual reload, but absolutely nothing is syncing over. HA is working otherwise and was fine even with pfB in the past.
I'll do some more digging to see if I can figure out what is going on.
-
@planedrop
i have extended my comment: https://forum.netgate.com/post/1108304 -
@juliokele Thanks for this, I'll try to reinstall pfB to see if that helps, reboot has already happened and I actually never applied the manual patch.
-
Hey guys,
after applying pfblockerng non-devel update 3.2.0_6 to my _5-install sync still did not work.
Unchecking the button "Keep Settings", saving and reloading and then reinstalling the package on my backup-machine followed by a force reload on the master machine did the trick and now the sync works smoothly. Reboot was not necessary on neither my master nor my backup machine.
Thanks folks!
-
-
-
@juliokele said in pfBlockerNG sync not working:
pfBlockerNG-devel
Is there any news on when this will be fixed for "pfBlockerNG-devel"?
-
@Bruce74 said in pfBlockerNG sync not working:
Is there any news on when this will be fixed for "pfBlockerNG-devel"?
Semi-related question, what is the future of pfBlockerNG-devel? When 23.01 came out pfBlockerNG and pfBlockerNG-devel were made the same code. So we just switched to non-devel as (vaguely) suggested in the release notes. My general assumption was they would not differ going forward, but apparently they are already diverging in minor ways.
-
@SteveITS just updated to pfSense 2.7.2 and this brough me to pfBlockerNG_devel 3.2.0_7 and still had to manually re-apply the fix so definitely not fixed on latest Devel version either. Should devel version be patched by now or should we consider switching to the non devel branch?
-
I updated to pfBlockerNG-devel 3.2.0_7 a couple of weeks ago, and it fixed the sync issue for me.
-
@Bruce74 That's weird, I just updated pfSense from 2.7.1 to 2.7.2 and naturally pfBlockerNG-devel from 3.2.0_6 to _7 and it didn't fix it for me, I had to re-edit the .inc file and remove the additional 'd' again (I didn't apply the patch file, just patched it by hand).
-
@IT_Luke I always struggle a bit to find things in Github but comparing
https://github.com/pfsense/FreeBSD-ports/blob/734989ab5809fe5c7bde23a240e717da656775ac/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L10826
and
https://github.com/pfsense/FreeBSD-ports/blob/734989ab5809fe5c7bde23a240e717da656775ac/net/pfSense-pkg-pfBlockerNG-devel/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L10826...the latter does not have the fix:
$pfb_sync = config_get_path('installedpackages/pfblockerngsyncd/config/0', []);I made a note in the redmine.
-
@IT_Luke I'd recommend swapping over to the non devel version, which does have the fix applied like @SteveITS mentioned.
I did want to note something though, for me the fix had to both be applied by updating pfBlocker, and then I also had to reinstall pfBlocker on both HA nodes to get the sync to work again (keeping settings so it really was just clicking the reinstall button in the package manager). Been perfect ever since but a little odd it required that.
-
@planedrop I think I'll wait until the Redmine gets processed/picked up - I have no problems after manually patching the .inc (again), my HA installs sync fine after so no worries. In the event of another pfBlockerNG-devel update I know what to check so it's not a big deal, it's a very fast manual fix. If in the end the devel branch gets "left behind" I will uninstall and reinstall the "normal" branch. Cheers anyhow!