CARP unicast synced despite of "No XMLRPC Sync" checked for CARP Virtual IP

[rdol]

Hello,
our company decided to move from pfSense to OPNsense. So I am quite new to OPNsense. I've created CARP-based redundant fw to compare with long years used CARP-based redundat pfSense box. We use OVH, I am able to use directed multicast on all interfaces except of WAN where I am force to use unicast because of OVH cloud provider.

I use the latest OPNsense 25.1.2 on both nodes. There is no problem with CARP as such, I am able to failover and failback with all IP addresses on all interfaces. The problem is with syncing the configuration (including Virtual IPs) via pfsync from master to slave (or backup node).

Inline help describes exactly what I want to achieve:
"Exclude this item from the HA synchronization process. An already existing item with the same UUID on the synchronization target will not be altered or deleted as long as this is active. This option can be helpful when using Unicast CARP. After the initial synchronization, enable this option and adjust the Unicast IPs on the backup firewall. Additional IP aliases in the same VHID group can now be synced without overwriting their parent CARP VIP."

Let me describe the steps:
1) create unicast-based Virtual IP on master, do not check No XMLRPC Sync
2) sync configuration to backup node
3) reconfigure "Peer (ipv4)" so it refers to master's IP and to backup's IP
4) test CARP, failover, failback, all good
5) on master, check "No XMLRPC Sync". I tried to check this on backup node too, nothing changes for the result.
6) sync configuration to backup node

Unfortunately the whole Virtual IP address configuration using unicast disappears on backup node after finishing step 6.

Am I doing something wrong?

In System / High Availability / Settings I've chosen the following services to be synchronized via XMLRPC Sync:
Aliases, Certificates, DHCPD, Firewall Categories, Firewall Groups, Firewall Log Templates, Firewall Rules, Firewall Schedules, NAT, Static Routes, Unbound DNS, Users and Groups, Virtual IPs, Web GUI.

I didn't test it on 25.1.1, I've just finished the configuration this morning.

Best regards,

Radek

[mimugmail]

If you use unicast carp you shouldnt sync Virtual IPs, only when using Multicast

[Monviech (Cedrik)]

https://github.com/opnsense/core/pull/8296

This was added so you can exclude them from sync.

I tested it and it should work, its very simple code wise. I can retest if theres an issue.

[Monviech (Cedrik)]

Seems like there are still some challenges, it unsets the configuration item on the backup and removes it when nosync is set.

Even if the UUIDs are different (e.g. when creating both manually) the one on backup will be removed.

I'll look into this, yet I will probably not change anything about the sync code, just the help text to make clear what happens. It seems like the help text is unintentionally wrong.

https://github.com/opnsense/core/issues/8387

[rdol]

Thank you for a quick test and confirmation that I am not doing any mistake. I also tried to create the same record on the backup node with the same results - it's deleted during the nearest sync from master to backup.

Let's see what devs will come up with. For me it would be great if it would work exactly as described in help. Right now I have 24 VIPs, 20 of them on WAN when I am forced to use unicast.

Meanwhile I am going to study other small but important differences between OPNsense and pfSense.

[Monviech (Cedrik)]

Hello, I think we found the fix.

Can you execute the following patches on both master and backup firewall?

It will adjust the help text and the behavior should be as expected then.

Code Select Expand

opnsense-patch https://github.com/opnsense/core/commit/03f96eb008eae0de6ba848511bfd6e3f4edabe47
opnsense-patch https://github.com/opnsense/core/commit/2c3482e774a9137feb7fc78f480c7785f5a1e051


[rdol]

Sure, I was just checking how to get to the patch because milestone 25.7 (which the solution was assigned too) is so far :)

[rdol]

Hello,
I am happy to confirm that the fix provided in two patches above is working. I synced the initial Virtual IP configuration from master to backup, checked "No XMLRPC Sync" on master for all unicast-based Virtual IPs. After that I checked "No XMLRPC Sync" on backup for all unicast-based Virtual IPs and also changed "Peer (ipv4)" for all unicast-based Virtual IPs.

I've just initiated "Synchronize and reconfigure all" and everything is ok on backup node.

Thanks the whole team for a quick fix!

[Monviech (Cedrik)]

Thank you for testing and feedback :)