Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
High availability
»
Problem with pfSync
« previous
next »
Print
Pages: [
1
]
Author
Topic: Problem with pfSync (Read 2065 times)
danbet
Newbie
Posts: 45
Karma: 1
Problem with pfSync
«
on:
December 02, 2023, 05:08:41 pm »
I went through the following document:
https://docs.opnsense.org/manual/how-tos/carp.html
.
Unfortunately pfSync doesn't work:
carp: demoted by -240 to 0 (pfsync bulk fail)
I may have missed something, but I can't find anything. I left out DHCP.
However, I don't have a direct connection between the two devices master and backup because they are virtual machines. I still created my own interfaces that are on the same network as the LAN.
Would it be better if I selected the LAN interface directly for synchronization?
Logged
Monviech
Hero Member
Posts: 890
Karma: 93
Re: Problem with pfSync
«
Reply #1 on:
December 02, 2023, 06:12:21 pm »
pfsync only works if on both VMs the interface names (LAN, WAN, OPT1 etc...) and have the exact same (physical or virtual) interface associations on both sides. Have you made sure of that?
Depending on the size of the state table thats expected, it might be best to isolate the pfsync traffic into a seperate VLAN with their own vNICs because it is very multicast heavy.
Also make sure, that the chosen interfaces that communicate over pfsync, have a firewall rule that allow the "Protocol PFSYNC" direction in from any source to any destination.
Also as an addendum:
- CARP
- xmlrpc sync
- pfsync
Are totally independant from each other. If you don't need firewall state syncronisation, you can safely leave pfsync off. If there is a failover, sessions will be newly initiated. Just using CARP is enough if theres just failover requirement without the need of sessions being carried over seamlessly.
Logged
Reverse Proxy with automatic HTTPS and Dynamic Dns
os-caddy
,
Tutorial
,
Docs
Hardware:
DEC740
danbet
Newbie
Posts: 45
Karma: 1
Re: Problem with pfSync
«
Reply #2 on:
December 04, 2023, 11:20:56 am »
The interfaces were correct, the problem was the rule of the pfSync interface. I had to allow any protocol on this, otherwise it won't work. I now only allow the pfSync network as a source. Is that right?
With VMware ESXi you can create port groups and assign them a VLAN ID. Is that enough, or does this VLAN ID also have to be specified on the switch?
The point about complete independence is very valuable to me. I actually don't need status synchronization. But isn't the configuration also transferred via pfSync?
Logged
danbet
Newbie
Posts: 45
Karma: 1
Re: Problem with pfSync
«
Reply #3 on:
December 04, 2023, 02:52:24 pm »
Can I use Hybrid creation of outgoing NAT rules (automatically generated rules are applied after the manual rules), instead of manual outbound nat rules?
Logged
Monviech
Hero Member
Posts: 890
Karma: 93
Re: Problem with pfSync
«
Reply #4 on:
December 05, 2023, 01:50:46 pm »
No the configuration is transferred via xmlrpc sync. It's a different mechanism that uses the REST API to transfer the configuration. PFSYNC is its own protocol, used by the pf packet filter to synchronize states.
https://man.freebsd.org/cgi/man.cgi?pfsync%284%29
And yes you can use hybrid creation of outbound NAT.
- The automatic rules will all still exist
- You can create your own rules too.
Logged
Reverse Proxy with automatic HTTPS and Dynamic Dns
os-caddy
,
Tutorial
,
Docs
Hardware:
DEC740
danbet
Newbie
Posts: 45
Karma: 1
Re: Problem with pfSync
«
Reply #5 on:
December 06, 2023, 04:08:33 pm »
Does that mean, if I just want to synchronize the configuration, that I only fill out the lower part of the HA Settings page and leave the upper part empty?
Logged
Monviech
Hero Member
Posts: 890
Karma: 93
Re: Problem with pfSync
«
Reply #6 on:
December 06, 2023, 04:14:08 pm »
Yes that is correct. The configuration sync is done with the checkboxes below. State synchronization doesn't synchronize the configuration.
The configuration sync is done manually. You can create a cronjob though if you want.
Logged
Reverse Proxy with automatic HTTPS and Dynamic Dns
os-caddy
,
Tutorial
,
Docs
Hardware:
DEC740
danbet
Newbie
Posts: 45
Karma: 1
Re: Problem with pfSync
«
Reply #7 on:
December 06, 2023, 04:34:02 pm »
OK, and for this I dont use a separate pfSync connection. Good.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
High availability
»
Problem with pfSync