OPNsense Forum

English Forums => High availability => Topic started by: fabiodanzetta on April 19, 2021, 11:43:06 am

Title: Better and safer procedure for updating firewalls
Post by: fabiodanzetta on April 19, 2021, 11:43:06 am

Hello everybody,

what is the best and safest procedure to update the two nodes that form the HA without risking particular disruptions or even blocking events?

Thank you all

Title: Re: Better and safer procedure for updating firewalls
Post by: kristerrenaud on April 21, 2021, 10:18:03 pm

I followed the instructions at https://docs.opnsense.org/manual/how-tos/carp.html and it worked for me.


Example: Updating a CARP HA Cluster
Running a redundant Active/Passive cluster leads to the expectation to have zero downtime. To keep the downtime at a minimum when running updates just follow these steps:

Update your secondary unit and wait until it is online again

On your primary unit go to Firewall ‣ Virtual IPs ‣ Status and click Enter Persistent CARP Maintenance Mode

You secondary unit is now MASTER, check if all services like DHCP, VPN, NAT are working correctly

If you ensured the update was fine, update your primary unit and hit Leave Persistent CARP Maintenance Mode

With these steps you will not lose too many packets and your existing connection will be transferred as well. Also note that entering persistent mode survives a reboot.

Title: Re: Better and safer procedure for updating firewalls
Post by: fabiodanzetta on April 22, 2021, 04:04:50 pm

Hi kristerrenaud ,

thank you very much for the directions.

Title: Re: Better and safer procedure for updating firewalls
Post by: Jeromeb on April 22, 2021, 04:31:47 pm

Thank's Kristerrenaud. I will try this in the next few days.