Hello all,
This is my first post, so I'll apologise in advance if I am being dumb.
I have searched the forums but I haven't found anything related (just people with no sync at all).
I'm in the process of prepping a new HA pair of OPNsense firewalls in my home network. Each is running on an identical Proxmox host with PCI-passthrough for the 2 NICs (WAN/LAN). They are currently not live as the plan is to replace my existing firewall when they are ready.
I've just reinstalled both firewalls from scratch using the 26.1 ISO, and applied updates to 26.1_4, and the problem persists.
Both have been set up with minimal configuration:
- WAN, LAN, and a few vlans configured (including one for PFSYNC) and attached to new interfaces; these are identical on each firewall.
- A floating firewall rule allowing ICMP on all interfaces for testing
- An any/any rule on the PFSYNC interface to allow PFSYNC and XMLRPC sync
I've checked the firewalls can ping each other on each interface (including the PFSYNC one).
Finally, I have set up the high-availability settings according to the documentation:
- PFSYNC interface for the sync
- Peer IP is the PFSYNC IP of the other firewall
- XMLRPC Sync configured only on the master
- Username and password are still default, just in case it was a complex password typo issue
- All services selected for sync
If I use the synchronise and reconfigure all button on the status page, the sync works beautifully as expected; I can see this in the log files on both firewalls:
Master:
Notice opnsense /usr/local/etc/rc.filter_synchronize: Filter sync successfully completed with https://172.16.0.3/xmlrpc.php.
Backup:
Notice syslog-ng Configuration reload finished;
Notice syslog-ng Configuration reload request received, reloading configuration;
Notice opnsense /xmlrpc.php: plugins_configure monitor (execute task : dpinger_configure_do(,null))
Notice opnsense /xmlrpc.php: plugins_configure monitor (,null)
Notice opnsense /xmlrpc.php: ROUTING: keeping inet default route to 192.168.1.1
Notice opnsense /xmlrpc.php: ROUTING: configuring inet default gateway on lan
Notice opnsense /xmlrpc.php: ROUTING: entering configure using defaults
Notice configctl event @ 1770003384.80 exec: system event config_changed response: OK
Notice configctl event @ 1770003384.80 msg: Feb 2 03:36:24 OPNsense02.internal config[51995]: config-event: new_config /conf/backup/config-1770003384.7952.xml
Notice opnsense /xmlrpc.php: plugins_configure monitor (execute task : dpinger_configure_do(,null))
Notice opnsense /xmlrpc.php: plugins_configure monitor (,null)
Notice opnsense /xmlrpc.php: ROUTING: keeping inet default route to 192.168.1.1
Notice opnsense /xmlrpc.php: ROUTING: configuring inet default gateway on lan
Notice kernel <6>[1613] carp: demoted by 240 to 240 (pfsync bulk start)
Notice kernel <6>[1613] carp: 1@ixl0: INIT -> BACKUP (initialization complete)
Notice kernel <6>[1613] ixl0: promiscuous mode enabled
Notice opnsense /usr/local/sbin/pluginctl: plugins_configure crl (execute task : openvpn_refresh_crls(1))
Notice opnsense /usr/local/sbin/pluginctl: plugins_configure crl (execute task : core_trust_crl(1))
Notice opnsense /usr/local/sbin/pluginctl: plugins_configure crl (1)
Notice opnsense /xmlrpc.php: ROUTING: entering configure using defaults
Notice opnsense /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member "VIP - LAN (192.168.1.250) (1@ixl0)" has resumed the state "BACKUP" for vhid 1
However, if I change anything on the master firewall (a new firewall rule, a new Virtual IP), I can see the configuration change in the log, but it does not trigger a sync to the backup firewall
Notice configctl event @ 1770003822.21 exec: system event config_changed response: OK
Notice configctl event @ 1770003822.21 msg: Feb 2 03:43:42 OPNsense01.internal config[80873]: config-event: new_config /conf/backup/config-1770003822.2062.xml
As I understand it, this configctl event should trigger an automatic sync to the backup, but I do not see that in the logs and the changes are not synchronised. If I run another manual sync from the high-availability status page, any changes since the last manual sync are successfully synced as expected.
Am I doing something wrong? Is this a Layer8 issue?
How do I go about diagnosing this further to see why the sync is not triggering on a configuration change?
Any assistance would be greatly appreciated.