Adding HA/CARP/SYNC to existing Infrastructure
-
Good morning all,
I have an environment that is has been operational for a few years now, which is running the latest version. and I am now about to add a new node and enable high availability for the deployment.
I have done HA/CARP/SYNC setup before in an environment that was new; however, I have never added it on.
The machines are identical, but naturally, there has been a lot of configuration performed on the first node.
My question is this: Do I need to match ALL of the configurations between both systems before adding HA/CARP/SYNC? Or do I need to just make sure the standard settings are done and the settings will push over to the new node?
THank you!
-
@TheStormsOfFury There's a list (checkboxes) of things it will sync for you: https://docs.netgate.com/pfsense/en/latest/highavailability/settings.html#options-to-synchronize
Some packages have sync options also, e.g. Suricata and pfBlocker (which has some caveats).
It's necessary to have the interfaces added in the same order, so the internal names match.
-
@SteveITS It is sync most of it. I was asking as I'd never "added" on to an existing, just done completely new installs where it was all setup before anything was configured.
Thanks for the reply!
TSoF
-
@TheStormsOfFury said in Adding HA/CARP/SYNC to existing Infrastructure:
Good morning all,
I have an environment that is has been operational for a few years now, which is running the latest version. and I am now about to add a new node and enable high availability for the deployment.
I have done HA/CARP/SYNC setup before in an environment that was new; however, I have never added it on.
The machines are identical, but naturally, there has been a lot of configuration performed on the first node.
My question is this: Do I need to match ALL of the configurations between both systems before adding HA/CARP/SYNC? Or do I need to just make sure the standard settings are done and the settings will push over to the new node?
THank you!
Typically you don't have to exactly match the config on your new backup node to your primary node. What you do have to have is:
- Physical interfaces activated/added in the same order.
- Install the same packages on the backup node that the primary node has (not strictly required I suppose, but if the backup node is supposed to fully stand in for the primary, I don't see why you wouldn't do this).
- A sync interface setup on both nodes.
I have done this multiple times and there's two ways I've gone about it. First way is to configure as little as is necessary on the backup node, just get the interfaces added and configured correctly, and let XMLRPC sync push the primary node's configuration to the secondary node using the dedicated sync interface you will configure on both nodes.
The other way to do this is to take a backup of the primary node's configuration and restore it to the secondary node, then make the needed modifications to the secondary node's configuration.
On balance I've come to prefer the first method over the second method. The first method generally works without too much difficulty. I have had instances where the config didn't sync immediately, though I think doing something as simple as making a trivial configuration change in the primary node, then saving and applying changes often works to nudge a config sync to the backup node.
With the second method, there are several things you have to remember to 'fix', especially the virtual IP address settings and the physical interface addresses. You can easily forget one little detail and create some difficulties for yourself. I will say that one advantage this method has is that it makes it easier to get the order of physical interface activation/creation correct, which can be a little bit of an aggravation with the first method, especially if you are running some vlans in your environment.
Anyway, that was a lot of long winded explanation. Short version: I have done this both ways more than once, and I usually prefer the method where you configure the secondary minimally such that it can accept a configuration sync from the primary node, then fully make the physical connections on the secondary node to the network after initial configuration sync.
-
@bp81 I ended up performing the addition using the first method you mentioned, plus the firewall configuration, and then it worked like a charm. It even added all of the packages to the new node.
Now, I'm dealing with an IPSec speed issue, but that is a whole separate issue and one I have already opened another thread on.
Thank you for taking the time to reply; it is much appreciated, and now if someone else is looking for the same thing, they have some really good options!
Have an excellent day!
TSoF