HA XMLRPC sync appears to “merge” but does not actually write changes on the Backup
-
pfSense Plus in HA (Primary ⇄ Backup) with XMLRPC config sync enabled. pfBlockerNG present. Sync logs show normal activity on the Backup node.
XMLRPC sync runs and claims sections were merged, but the Backup’s config.xml content does not change (only the <revision> timestamp updates), I have checked this with config history. New rules/sections do not appear on the Backup at all, same for aliases.
After editing on the Primary (e.g., adding a simple LAN rule with a unique description), the same object should be present in the Backup GUI and in /cf/conf/config.xml. This isn’t working now, and I’m not sure when it broke—maybe on a 25.11 snapshots, or even earlier.
-
Can you reproduce that starting with a minimal config? It's hard to say what could be happening without reproducible steps. It works in my testing.
-
@w0w in pfB the sync happens on a force reload only. Theres a one line fix to have it happen at cron intervals…see this thread:
https://forum.netgate.com/topic/179060/pfblockerng-sync-not-working/50(The line number has changed over time)
-
I will not be able to try a minimal configuration in the near future, unfortunately. But I might have some time to dig a bit deeper. For now, at least I am sure that the receiving side receives everything, and I can even see my test rule in the dump, but it is not clear why the block is not being written… Maybe it is failing a validation check.
-
If you're referring to the changes from pfBlockerNG then it's likely the cron thing already mentioned. Otherwise something else to try is temporarily removing packages from both nodes and testing.
-
@marcosm
I have removed only pfBlocker, and the configuration has synced successfully. -
Even with synchronization completely disabled, simply having pfBlocker installed prevents synchronization between the firewalls. -
@w0w oh do you mean any change, not just pfB? Then disregard my post above. That’s only pfB.
-
@SteveITS said in HA XMLRPC sync appears to “merge” but does not actually write changes on the Backup:
do you mean any change, not just pfB?
Exactly. Anyway it looks like this bug is related to pfB somehow.
