Better and safer procedure for updating firewalls

fabiodanzetta · April 19, 2021, 11:43:06 AM

Hello everybody,

what is the best and safest procedure to update the two nodes that form the HA without risking particular disruptions or even blocking events?

Thank you all

kristerrenaud · April 21, 2021, 10:18:03 PM

I followed the instructions at https://docs.opnsense.org/manual/how-tos/carp.html and it worked for me.

Example: Updating a CARP HA Cluster
Running a redundant Active/Passive cluster leads to the expectation to have zero downtime. To keep the downtime at a minimum when running updates just follow these steps:

Update your secondary unit and wait until it is online again

On your primary unit go to Firewall ‣ Virtual IPs ‣ Status and click Enter Persistent CARP Maintenance Mode

You secondary unit is now MASTER, check if all services like DHCP, VPN, NAT are working correctly

If you ensured the update was fine, update your primary unit and hit Leave Persistent CARP Maintenance Mode

With these steps you will not lose too many packets and your existing connection will be transferred as well. Also note that entering persistent mode survives a reboot.

fabiodanzetta · April 22, 2021, 04:04:50 PM

Hi kristerrenaud ,

thank you very much for the directions.

Jeromeb · April 22, 2021, 04:31:47 PM

Thank's Kristerrenaud. I will try this in the next few days.

Better and safer procedure for updating firewalls

fabiodanzetta

April 19, 2021, 11:43:06 AM

kristerrenaud

April 21, 2021, 10:18:03 PM #1

fabiodanzetta

April 22, 2021, 04:04:50 PM #2

Jeromeb

April 22, 2021, 04:31:47 PM #3