Better and safer procedure for updating firewalls

[fabiodanzetta]

Hello everybody,

what is the best and safest procedure to update the two nodes that form the HA without risking particular disruptions or even blocking events?

Thank you all

[kristerrenaud]

I followed the instructions at https://docs.opnsense.org/manual/how-tos/carp.html and it worked for me.


Example: Updating a CARP HA Cluster
Running a redundant Active/Passive cluster leads to the expectation to have zero downtime. To keep the downtime at a minimum when running updates just follow these steps:

Update your secondary unit and wait until it is online again

On your primary unit go to Firewall ‣ Virtual IPs ‣ Status and click Enter Persistent CARP Maintenance Mode

You secondary unit is now MASTER, check if all services like DHCP, VPN, NAT are working correctly

If you ensured the update was fine, update your primary unit and hit Leave Persistent CARP Maintenance Mode

With these steps you will not lose too many packets and your existing connection will be transferred as well. Also note that entering persistent mode survives a reboot.

[fabiodanzetta]

Hi kristerrenaud ,

thank you very much for the directions.

[Jeromeb]

Thank's Kristerrenaud. I will try this in the next few days.