2.1.5 -> 2.2 Configuration Synchronisation sets NAT Config back to default

  • How to recreate:

    • Starting point is two pfSense 2.1.5 with a working CARP/pfsync/XMLRPC Sync.  There are no packages installed.
    • Outbound NAT is configured as "Manual Outbound NAT rule generation" with rules to NAT on the WAN as the WAN VIP.
    • Pulling the WAN cable on the Master sees a good failover to the slave and everything still works (meaning browsing to the Internet in this test).
    • Plug the WAN cable back in and everything fails back.  All good so far.
    • Then upgrade slave to 2.2.
    • After the reboot of the slave, the NAT configuration is "correct" as viewed in the web interface.  Meaning that the Outbound NAT mode is "Manual Outbound NAT rule generation" and the rules to NAT as the WAN VIP are there.
    • Change something on the Master and save it.  Just saving the "System: High Availability Sync" page with out changing anything seems to be enough.
    • The Outbound NAT configuration on the slave is now in mode "Automatic outbound NAT rule generation".
    • Pulling the WAN cable on the master sees a good failover from the CARP perspective, but there is no connectivity to the WAN.  Meaning that browsing to the Internet does not work.

    Work around:

    • On the master on the "System: High Availability Sync" page, disable "Synchronize NAT" before upgrading the slave.
    • Reenable once the the Master has been upgraded.

    It concerns me that if NAT is not syncing correctly what else isn't that I have yet to test?

    What is the correct/safe way to upgrade a 2.1.5 cluster to 2.2?  I have seen references to the "2.2 Upgrade Notes" and the "Redundant Firewalls Upgrade Guide" for this, but neither of these have anything that talks specifically about 2.2 in them. So I have gone the "Generally the recommended path for upgrading a High Availability cluster is to first upgrade the secondary node" route.



  • Answered here https://forum.pfsense.org/index.php?topic=87813.msg483500#msg483500

    This really should be in the upgrade notes.