Author Topic: [SOLVED] Re: pfsync - better to activate on both cluster nodes? -> yes (Read 3810 times)

Werner Fischer · « **on:** September 17, 2019, 10:49:17 am »

Hi all,

when you are setting up a firewall cluster, the documentation https://docs.opnsense.org/manual/how-tos/carp.html#setup-ha-sync-xmlrpc-and-pfsync currently says:

First we should enable pfSync using our dedicated interface using the master firewall. Go to System ‣ High Availability ‣ Settings, enable pfSync and select the interface used for pfSync.

Also a diff of the sample configuration shows that pfsync is only enabled on node 1 (master):

My question:

What happens e.g. when you are doing a firmware update and you switch the master role from node 1 to node 2?
I assume that pf states are not synchronized again from node 2 -> node 1 when node 1 comes back up.
I _think_ that pfsync should be enabled on node 2, too. pfsense suggests it in this way too, according to https://docs.netgate.com/pfsense/en/latest/book/highavailability/pfsync-overview.html#pfsync-overview "When pfsync is in use, pfsync settings must be enabled on all nodes participating in state synchronization, including secondary nodes, or it will not function properly."

Should we update the OPNsense documentation?

Best regards,
Werner

mimugmail · « **Reply #1 on:** September 17, 2019, 11:08:18 am »

Yes it should be enabled on both nodes. You can open a PR if you like

Werner Fischer · « **Reply #2 on:** September 17, 2019, 11:33:32 am »

Thank you, I'll update the wiki article https://www.thomas-krenn.com/en/wiki/OPNsense_HA_Cluster_configuration.

I'll check whether I can prepare a pull request for the OPNsense documentation. The example configuration files should be updated there, too (as the current configuration file of the backup node does not have pfsync enabled).

Werner Fischer · « **Reply #3 on:** September 19, 2019, 09:34:26 am »

I have created the pull request: https://github.com/opnsense/docs/pull/198