Swapping master and slave (CARP pfsync)

[uucico]

Hi,

I have two pfsync'd CARP routers and unfortunately it happend that I made the instance on a virutalisation environment labelled "SECONDARY" the master (and thus, the backup on "PRIMARY") and this heavily confuses people (trying to configure on the backup device).
Do I understand correctly that the configuration changes are applied directly on the backup device, so that I can simply swap the side who has the pfsync IP of the other side? Or are there traps I should watch out for?

Thanks for reading and any hints appreciated!

[Monviech (Cedrik)]

The configurations of master and backup firewalls are seperate.

That means, if somebody adds new configurations to the backup firewall, they are stored on it, but they won't be present on the master firewall.

Though there are sections of the config that get auto generated to be different on the backup firewall than on the master firewall. For example the CARP VIPs, which have different advskew values (these determine which of these IPs become master or backup).

If Syncing back, you should only include sections in the XMLRPC sync that don't have this automatic behavior, like firewall rules, nat rules, etc...
Or, you export the backup firewall config, and import it on the master firewall with only the sections selected you know have changed.

Then afterwards, if both firewalls are completely the same, it might be worth a shot (maybe make snapshots beforehand if you can, or backups) to export the configuration of both firewalls, and then import the master configuration on the firewall which should become the new master, and the backup configuration on the new backup firewall.