Monit & HA/pfsync

[Evert]

Hi all,

We have a 2-node cluster, and I have set a cronjob so that all services sync from node1 to node2 once an hour.
Monit System Monitoring is one of these services and as soon as I set up the hourly sync I was receiving 2 emails each hour: Monit Stopped & Monit Started.

As you can imagine this was getting quite annoying, so I unchecked Monit on https://node1/system_hasync.php from the list. I figured that as long as the config on node2 doesn't get refreshed, there's no need to Monit to restart on this node.

Apparently I ass-u-me-d wrong: Monit still sends me 2 email each hour. Why is that?

[lshantz]

So if you have two firewalls, and you are using PFSYNC, why do you need an additional sync outside of PFSYNC? I'm new to this also, so wondering, not attacking.

[Evert]

So if you have two firewalls, and you are using PFSYNC, why do you need an additional sync outside of PFSYNC? I'm new to this also, so wondering, not attacking.

I'm probably as new as you  ;)

If I interpreted https://docs.opnsense.org/manual/hacarp.html correctly there is no automatic sync of config changes between nodes, so that's why I configured the hourly sync, as mentioned on that page.

[Frying6121]

So if you have two firewalls, and you are using PFSYNC, why do you need an additional sync outside of PFSYNC? I'm new to this also, so wondering, not attacking.

Lets put things into perspective of stateless and stateful

PFSYNC (stateful) only syncs the state table of the firewall at that point and time, aka what connections are open, closed, status, etc.

The HA sync using XMLRPC (stateless, it's a config written to disk) to actually sync the specific configs (which is limited by nature) across the two hosts, with the master being the one that you generally want to make changes to.

https://docs.opnsense.org/manual/how-tos/carp.html is a good place to learn what systems do what, and why.

[Frying6121]

Hi all,

We have a 2-node cluster, and I have set a cronjob so that all services sync from node1 to node2 once an hour.
Monit System Monitoring is one of these services and as soon as I set up the hourly sync I was receiving 2 emails each hour: Monit Stopped & Monit Started.

As you can imagine this was getting quite annoying, so I unchecked Monit on https://node1/system_hasync.php from the list. I figured that as long as the config on node2 doesn't get refreshed, there's no need to Monit to restart on this node.

Apparently I ass-u-me-d wrong: Monit still sends me 2 email each hour. Why is that?

Under the Alert Settings for your email, configure the following settings to disable from sending "instance changed" alerts, but still alert on everything else (see screenshot.)

[lshantz]

Lets put things into perspective of stateless and stateful

PFSYNC (stateful) only syncs the state table of the firewall at that point and time, aka what connections are open, closed, status, etc.

The HA sync using XMLRPC (stateless, it's a config written to disk) to actually sync the specific configs (which is limited by nature) across the two hosts, with the master being the one that you generally want to make changes to.

https://docs.opnsense.org/manual/how-tos/carp.html is a good place to learn what systems do what, and why.

I did not get that interpretation from the listed link. I used it for setup. farther down it says:
Now we need to enter the remote user name and password and configure the settings we want to duplicate to the backup server. For our setup we will enable the following:

Synchronize rules

Synchronize NAT

Synchronize DHCPD

Synchronize Virtual IPs

I take that to mean this is being pushed across pfsync as well.