Pfsync temporarily between different hardware platforms


  • LAYER 8 Netgate

    Is it possible to sync states between different hardware platforms? I have a pair of APUs I'm going to be replacing with SG-8860s.

    I was thinking I would disable the config sync then failover to the secondary.

    Replace the primary with the SG-8860 (In persistent carp down mode), let states sync, then fail back.

    Replace the secondary with the 8860 and enable config sync.

    The configs will be identical with the exception of the physical interface names (hand edited for new hardware).

    Will that work? I'm pretty sure about everything except the state sync. If it uses pfSense names like OPT1 and LAN it seems it should work. If it relies on rlX and igbX, likely not.



  • Should be easy enough to test in a VMware setup.  Setup one box with E1000 interfaces and the other with vmx3 interfaces, that'll give you the "different" hardware interfaces scenario to test.
    The outcome of that would be good to throw into the wiki, I'm sure it has crossed other people's minds.



  • https://doc.pfsense.org/index.php/Redundant_Firewalls_Upgrade_Guide#pfSense_2.2.x_and_pfsync

    pfsync usually isn't so critical that you care about losing state, in doing a hardware swap at least. Unless you have an unusual circumstance where that is highly disruptive, it's not likely worth the effort. You'd have to wipe the state table to switch to lagg to accommodate the workaround anyway. So I'd just not worry about pfsync until both boxes are swapped in (fine to leave it enabled in between, the synced states just won't match).


  • LAYER 8 Netgate

    Thanks. Gee it says so right there. (I did read the entire HA chapter in the book again before I asked :/ ) You're right. I'm probably over-thinking it. Creating the laggs would probably be more disruptive anyway.


Log in to reply