[SOLVED] Firewall rule on CARP interface keeps being deleted after sync

podilarius · Nov 2, 2011, 11:02 AM

Forgot this was the second page :). Anyway, looking back at the screen shots it does look like on the master node that CARP was originally opt2 as one of your VPN interface took opt1. I can tell by the ordering of the tabs. This should not make a difference as they are named. Try this, on the master, add a description to the allow all CARP rule (ie CARP Allow All). Sync the settings, and see if that description show up on another interfaces rules.

Are those other interfaces (RV,OVPNS1, OVPNC1,MGMT) VLANs?

bitadmin · Nov 2, 2011, 2:00 PM

Yes. OVPNS1, OVPNC1, MGMT and RV are VLANs

I tried adding a description to the CARP-interface rule on the master and started the sync. After that my rule on the backup FW is gone (as always) but the rule from the master does not show up on any other interface.

Edit: I was wrong: the rule does show up (i had it not to replicate via "No XMLRPC Sync" option).
It appears on the "MGMT" interface

bitadmin · Nov 2, 2011, 2:04 PM

Here are 2 screenshots for my interfaces:

on master i got this:

an on backup i got this:

bitadmin · Nov 2, 2011, 2:13 PM

I even went further now and found out that the rules are synced on the wrong interfaces in several occasions:

Master -> Backup
OVPNS1 -> CARP
CARP -> MGMT
OVPNC1 -> RV
-> OVPNS1
-> OVPNC1

With all that i am surprised that WAN and LAN aren't synced on the wrong interface as well ;)

Edit: Looking at the screenshots i believe that the sync does not apply to the interface names but to their creation order.

jimp · Nov 2, 2011, 2:18 PM

That's what I was going to suggest checking.

The number and order of interfaces in carp cluster members must be the same. What you are seeing is the result of the interfaces not being assigned in the correct order on the slave.

bitadmin · Nov 2, 2011, 2:43 PM

Does that mean i have to remove and recreate my interfaces on the backup server to get the correct order?
OR can i simply update some config file through the console to get the same result?

The rules and settings for those interfaces should be synced automatically, shouldn't they?

jimp · Nov 2, 2011, 2:44 PM

Yes, unless you want to hand edit the config to swap things around.

podilarius · Nov 2, 2011, 2:55 PM

sometimes hand editing is the easiest. especially if you have to replace a lot of IPs. But in this case, prolly easier to just redo the slave.

bitadmin · Nov 2, 2011, 4:56 PM

Do you know which file i need to edit?

jimp · Nov 2, 2011, 4:57 PM

Diagnostics > Backup/Restore, make a backup file, edit the xml backup file, then restore it. If you aren't familiar with XML or can't find your way around it, you're probably better off making the changes in the GUI instead.

bitadmin · Nov 2, 2011, 5:02 PM

Thank you.
I think i can handle the xml and will give it a try.
(What's the worst that can happen ;D)

bitadmin · Nov 2, 2011, 5:14 PM

It worked.

Was pretty easy. Just export only the part for interfaces (which results in a very small XML) and change the tags for the interfaces the way the are labeled on the master. Import it again and voilá: chicken's done!

Thank you all for your help!!!!

Now: How do I mark this thread as resolved? No more loose ends left :)

Metu69salemi · Nov 2, 2011, 8:10 PM

edit your first post subject with [SOLVED]