Outbound NAT Issue - 2.1 to 2.2 sync

  • This is not covered in the upgrade considerations, so I don't know if this issue is due to an underlying BSD or pf change like the state syncing issue or if this is a bug.

    Following the best practices for High Availability Deployments, I upgraded the secondary firewall and intend to switch to it. However, I noticed that the Outbound NAT setting for the secondary firewall is “Automatic outbound NAT rule generation”. I changed it to manual and of course all my rules were missing. I forced a sync from the primary to the secondary and the secondary was set back to “Automatic outbound NAT rule generation”.



  • Rebel Alliance Developer Netgate

    Do not try to sync from 2.1 to 2.2. The outbound NAT code format changed and thus needs upgraded. Once the primary upgrades its NAT will be in the correct format and the rules will sync properly.

  • jimp,

    Thanks for the response. Is there anyway for me to do this on the secondary firewall? My process would be as following.

    Restore the secondary firewall to 2.1 using the full backup restore that I have.

    Force a config sync from the primary.

    Disable config sync on the primary

    Upgrade the secondary to 2.2.

    Based on you response, if I do this the config upgrade process should convert the Outbound NAT entries properly on the secondary.

    Once 2.2 is tested on the secondary I could upgrade the primary and then turn syncing back on.

    Does this appear to be a sound plan? Did I miss anything?

    For reference is there anyway to do this with a previous config file?

    i.e. Restore a 10.1 config file and when it is converted it converts the Outbound NAT entries correctly?

  • jimp,

    I have started the process of what I have described and I came across something confusing so this is more of a feature request. I restored the secondary firewall to 2.1.5 using the full backup made when I upgraded to 2.2.

    The confusion is that there is no clear indication that the restore is complete. I was connected via ssh and was disconnected. I reconnected and the shell reported 2.1.5, but the uptime showed that the firewall did not reboot. I logged in to the web interface and it reported 2.1.5, but FreeBSD 10.1. I assumed that the restore was complete and a reboot was needed because the BSD version was wrong. I rebooted and things are back to normal.

    This process is very unclear and the documentation does not provide clarification.

    As far as my other questions, your responses are still desired as it will be Tuesday or later before I can upgrade again to see if the Outbound NAT rules are converted properly. Additionally, it would be nice to know if a manual conversion of an older config file can be initiated manually without having to upgrade, but that produces the same result as upgrading. i.e. Outbound NAT rules are converted to the new format rather than being lost.



  • Bump,

    I have been able to upgrade successfully by running an xmlrpc sync, disabling xmlrpc and pfsync, upgrading the secondary and then disabling carp on the primary.

    The other questions are still open, like after the upgrade can an old config be converted to the new format?



  • Rebel Alliance Developer Netgate

    The upgrade from 2.1.x to 2.2.x upgrades/converts the configuration format automatically. If you need to convert the "old" format to the new, restore a full 2.1.x configuration file to 2.2 and it will be upgraded.

  • Jimp,

    The first time I upgraded to 2.2, I did not turn off xmlrpc sync so the outbound NAT config got messed up. After that I tried to restore an old config and it did not seem to convert as the outbound NAT config was still messed up. Do I need to restore the config and reboot for the config conversion to take place?

    Thank you,


Log in to reply