OPNsense Forum

English Forums => High availability => Topic started by: Elia99 on May 06, 2024, 12:10:15 pm

Title: High Availability - How to upgrade the cluster remotely? How to manage plugins?
Post by: Elia99 on May 06, 2024, 12:10:15 pm

Hello there!

I have a working HA cluster and I was always able to upgrade both nodes successfully.

Now, I would like to provide to a customer a HA setup, the problem is that it has its office on another town, very far from where I am.

Obviously I'll need to go there at least one time to configure both firewalls for the first time and setting up CARP and HA, but, how can I upgrade the HA cluster remotely? Due to the fact that I don't want to go there each time I need to upgrade to a newer OPNSense version.

Right now, to upgrade my firewalls I need to temporarly disable CARP on the secondary node (slave) and forcing a new WAN gateway (which is my Linux laptop with a wireless adapter connected to my smartphone hotspot, then bridged with a wired adapter where OPNSense WAN is connected to) in order to let the secondary node exits to Internet; then after the upgrade of the secondary, I renable CARP on the it and I perform a failover from the primary node (master) in order to let the secondary node (which I just upgraded) become the master, thus upgrade the new primary node (which previously was the master).

So, I have some questions:

1) Generally speaking, is this the correct way to upgrade both nodes of a HA cluster?
2) How can I upgrade a cluster remotely?
3) How can I install a new plugin on both primary and secondary nodes without causing downtimes?

In the docs, I see this steps, but I don't know how these are gonna work if the secondary node is basically offline (can't reach Internet thus can't reach OPNsense repos to upgrade).

Quote

Example: Updating a CARP HA Cluster
Running a redundant Active/Passive cluster leads to the expectation to have zero downtime. To keep the downtime at a minimum when running updates just follow these steps:

Update your secondary unit and wait until it is online again

On your primary unit go to Interfaces ‣ Virtual IPs ‣ Status and click Enter Persistent CARP Maintenance Mode

You secondary unit is now MASTER, check if all services like DHCP, VPN, NAT are working correctly

If you ensured the update was fine, update your primary unit and hit Leave Persistent CARP Maintenance Mode

With these steps you will not lose too many packets and your existing connection will be transferred as well. Also note that entering persistent mode survives a reboot.

 Any help?