Hi all,
when you are setting up a firewall cluster, the documentation https://docs.opnsense.org/manual/how-tos/carp.html#setup-ha-sync-xmlrpc-and-pfsync currently says:
- First we should enable pfSync using our dedicated interface using the master firewall. Go to System ‣ High Availability ‣ Settings, enable pfSync and select the interface used for pfSync.
Also a diff of the sample configuration shows that pfsync is only enabled on node 1 (master):
- https://docs.opnsense.org/_downloads/64fce6febca41b922ab9906c47078aa9/Carp_example_master.xml
- https://docs.opnsense.org/_downloads/5b64c2fa6e30519189630e5dd22f0e58/Carp_example_backup.xml
My question:
- What happens e.g. when you are doing a firmware update and you switch the master role from node 1 to node 2?
- I assume that pf states are not synchronized again from node 2 -> node 1 when node 1 comes back up.
- I _think_ that pfsync should be enabled on node 2, too. pfsense suggests it in this way too, according to https://docs.netgate.com/pfsense/en/latest/book/highavailability/pfsync-overview.html#pfsync-overview "When pfsync is in use, pfsync settings must be enabled on all nodes participating in state synchronization, including secondary nodes, or it will not function properly."
Should we update the OPNsense documentation?
Best regards,
Werner
Yes it should be enabled on both nodes. You can open a PR if you like :)
Thank you, I'll update the wiki article https://www.thomas-krenn.com/en/wiki/OPNsense_HA_Cluster_configuration.
I'll check whether I can prepare a pull request for the OPNsense documentation. The example configuration files should be updated there, too (as the current configuration file of the backup node does not have pfsync enabled).
I have created the pull request: https://github.com/opnsense/docs/pull/198