Cluster upgrade question



  • Hi all,

    We have two pfsense machines in a carp/pfsync cluster.  We upgraded the primary from 2.0.3 to 2.1.5 just over three weeks ago.  When doing this, I disconnected the failover from all networks so that we'd have a known-good state to return to if there were any issues.

    We have not had any problems and I'd like to bring the cluster back online.  I have a few questions though, because this is both the biggest upgrade jump we've done and the most divergent the configs have been at the time of reintroduction of the secondary firewall.

    1. If I upgrade the secondary via the upgrade package copied from a USB key (or by plugging in directly to the firewall and SCPing it across), then reconnect it to the networks, is there a recommended order in which I should reconnect it (e.g. LAN, then DMZ, then WAN etc.)?  I would imagine that the pfsync interface should be connected first, to prevent splitbrain type scenarios, but after that?

    2.  There have been approximately 20 modifications to the live config since the upgrade.  Provided the pfsync interface is connected first, I would imagine that I will have no issues with these changes being replicated in the correct direction.  Is that the case?

    3. Is there a significant chance of service interruption by reintroducing the the second firewall to the cluster?

    With thanks,

    Simon



  • Read the upgrade guide:
    https://doc.pfsense.org/index.php/Upgrade_Guide

    As long as one of the CARP interfaces of the secondary box is unplugged, it is in backup mode.
    Ensure that the firewall rule at sync interface is set correctly as described in the upgrade guide, plug in the sync cable to sync states and do the upgrade.
    AFAIK the configuration settings are synced at the next change.

    As the secondary box should keep in backup state, there would be no service interruption.


  • Netgate Administrator

    What pfSense version is the secondary running?
    If the versions are sufficiently different the pfsync protocol may not be the same which will prevent syncing. See:
    https://doc.pfsense.org/index.php/Redundant_Firewalls_Upgrade_Guide

    I think you're OK between 2.0.X (8.1) and 2.1.X (8.3) though.

    Steve