Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsync temporarily between different hardware platforms

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    4 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      Is it possible to sync states between different hardware platforms? I have a pair of APUs I'm going to be replacing with SG-8860s.

      I was thinking I would disable the config sync then failover to the secondary.

      Replace the primary with the SG-8860 (In persistent carp down mode), let states sync, then fail back.

      Replace the secondary with the 8860 and enable config sync.

      The configs will be identical with the exception of the physical interface names (hand edited for new hardware).

      Will that work? I'm pretty sure about everything except the state sync. If it uses pfSense names like OPT1 and LAN it seems it should work. If it relies on rlX and igbX, likely not.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • awebsterA
        awebster
        last edited by

        Should be easy enough to test in a VMware setup.  Setup one box with E1000 interfaces and the other with vmx3 interfaces, that'll give you the "different" hardware interfaces scenario to test.
        The outcome of that would be good to throw into the wiki, I'm sure it has crossed other people's minds.

        –A.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          https://doc.pfsense.org/index.php/Redundant_Firewalls_Upgrade_Guide#pfSense_2.2.x_and_pfsync

          pfsync usually isn't so critical that you care about losing state, in doing a hardware swap at least. Unless you have an unusual circumstance where that is highly disruptive, it's not likely worth the effort. You'd have to wipe the state table to switch to lagg to accommodate the workaround anyway. So I'd just not worry about pfsync until both boxes are swapped in (fine to leave it enabled in between, the synced states just won't match).

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Thanks. Gee it says so right there. (I did read the entire HA chapter in the book again before I asked :/ ) You're right. I'm probably over-thinking it. Creating the laggs would probably be more disruptive anyway.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.