Issue with updating Second pfsense device.

yogi_en

Hello,

I have two pfsense devices. One of them act as a main router and the second one as backup. I want to update the backup pfsense to the latest version and keep it up to date. I connected the back up pfsense as a separate device in my LAN ( with out changing the main pfsense device ) This device gets IP address, but some how this device cannot connect to internet. I am facing the problem mentioned here.

Both devices has got same configuration and hostname etc.

https://www.reddit.com/r/PFSENSE/comments/cbhtxx/how_do_you_configure_a_pfsense_device_to_update/

I can ssh to the second pfsense device after connecting the laptop to this.

ping 1.1.1.1 doesn't work after ssh.

Any help us appreciated. I have tried all the methods that was mentioned in the other thread.

viragomann

@yogi_en said in Issue with updating Second pfsense device.:

I connected the back up pfsense as a separate device in my LAN ( with out changing the main pfsense device )

With its WAN or LAN port?

This device gets IP address,

WAN or LAN?
Which IP do you get?

What' in the routing table?

What does Status > Gateways show?

What does Status > Interfaces show?

bingo600

@viragomann said in Issue with updating Second pfsense device.:

With its WAN or LAN port?

My guess is it doesn't matter

If WAN, OP would have same net on WAN IF and the "Backup box" Lan IF.

If LAN, OP would have duplicate IP on LAN

I have the same update callenge at work , and ended up dedicating an "Old unused OBSOLETE/INSECURE Cisco RV router" to "fake my ISP net", for upgrading my backup.
Cisco RV has DHCP IP on it's WAN , and is connected to my "Prod LAN".
Cisco RV is "faking" my ISP assigned /27 on it's LAN.

Works fine , and i can "Restore my prod config" to the Backup box wo. changing anything on the Prod or Backup pfSenses.

Edit: You could even use an old WRT54G, or whatever old stuff you have in the drawer

/Bingo

viragomann

@bingo600 said in Issue with updating Second pfsense device.:

With its WAN or LAN port?

My guess is it doesn't matter

If WAN, OP would have same net on WAN IF and the "Backup box" Lan IF.

If LAN, OP would have duplicate IP on LAN

Since he wrote, the backup gets an IP, I'm assuming that it's configured for DHCP.
This should basically work though, as long as he has no static routing set, however, not really sure.

The requested infos would shed some light on this.

bingo600

@viragomann said in Issue with updating Second pfsense device.:

This should basically work though, as long as he has no static routing set, however, not really sure.

I doubt

If Backup Box get's a DHCP IP on WAN, it'll get a def-gw of the Prod Box LAN IF.

When arp'ing for the def-gw he would have a static entry of the "Local LAN IP" , as it's the same IP.
I'm not 100% sure but my money would prob be on a static arp has precedence over a dynamic (arping on WAN).

And where (IF) would the Backup box forward the packages ...
Since WAN & Local LAN are both connected , and members of the same subnet.
Lottery .....

Edit:
If there's nothing connected to the Backup box - Local Lan , and the IF is down .... Maybe ... Lottery ...
But how to manage the Backup box, if not Local Lan ....

I agree : More DOC Required
As IBM almost always wrote in 80+% of our Mainframe APAR reports.

/Bingo

yogi_en

Thanks for the replies.

The second pfsense box is connected to the main pfsense box via WAN port.
Its gets an IP in LAN range ,issued by the main pfsense box using DHCP. ( Also tried static IP for the second box )

I didn't check the status > gateways and status -> Interfaces. Will do that later today

The backup pfsense box is also connected to a Laptop via LAN port. It gets a LAN IP issued by DHCP of the backup pfsense box. I can ssh into the backup box via ssh from pfsense. But I cab't ping any IP addresses ( ping 9.9.9.9 doesn't work )

Also wanted to say that it worked once. After a restart it stopped working again. Seems to be a lottery as bingo600 suggested. I am looking for a consistent way to make this work.

bingo600

@yogi_en
Best:
Connect Backup Box WAN to "Old router LAN", as i described above.
And let the "old router" WAN use DHCP (they usually do) , and on "old router" Lan : Define a subnet that is NOT defined in the Backup Box.

Else:
When connecting the Backup WAN to "Prod LAN" , you would have to change your Backup LAN Net to a different subnet.
AKA ... Whatever Prod network , you are connecting Backup WAN to , must be changed on Backup Box ... Ie. If connecting Wan to Prod-Lan , then Backup Lan must be changed to another subnet.

If you have several Prod subnets that allow internet access, i would use something other than Prod LAN to connect Backup Box WAN to.
Primarily because pfSense LAN is the worst to change IP address on.

Ie. Connect Backup WAN to PROD DMZ , and you might even get lucky that you doesn't have to change anything in the Backup Box (if Backup DMZ interface is inactive)
Else you would have to change Bakup DMZ to another unused subnet.

Edit: You'd still manage the backup box via it's LAN

/Bingo

viragomann

@yogi_en
Presumed you use automatic gateway settings on the backup, you could simply create a VLAN on the LAN ports on both pfSense boxes for this purpose.

On the backup, configure the VLAN interface as DHCP client. On the primary enable the DHCP server on it.

Then every time you connect the backup node LAN to LAN, it will pull an IP from the primary's DHCP server on the VLAN interface and use the primary as upstream gateway, since it WAN is not connected.
At the same time you can access both nodes from any LAN device via the LAN IPs and run the update.

yogi_en

Thanks for the informative replies. I understood the reason now.

Primarily because pfSense LAN is the worst to change IP address on

I already tried to change the LAN network to different unused subnet in the backup box before reading the comments. In the process I locked myself out LAN net work from the backup box. First went to Interface used a new subnet for LAN and after I saving, I was locked out. I didn't have time to change DHCP server settings!.

I will have to connect the display/keyboard and restore the original config now. Will create a new network/VLAN and will try again.

I do have an older, but I believe that route will take longer time.

bingo600

@yogi_en said in Issue with updating Second pfsense device.:

I do have an older, but I believe that route will take longer time.

It will , the first time .....
But every other time it will be a breeze to update.

Turn on the Older .... Connect it (WAN) to Prod-Lan.
Connect Backup Box (WAN) to Older Lan
Upgrade & Done.

/Bingo

yogi_en

Thanks to all for the support. Issue is resolved successfully with the following steps.

1. Created a new network ( different from LAN subnet ) in one of the unused port of the backup pfsense box.

2. Connected the laptop to this new port. Laptop gets an IP.

3. The backup pfsense WAN port is connected to the LAN of main pfsense box

4. Disabled LAN network on the backup pfsense box ( temporary )

5. Now the backup pfsense box can connect to internet.

6. Did the upgrade.

7. Disconnect WAN.

8. Enable the LAN network on the backup pfsense box ( We can leave the new network as is or disable it ).

Works well for my use case. Thanks again for the support!