Todo #12854
closed
Issue with virtual ips and Sync
0%
Description
I have configured 2 pfsense instances with configuration sync between them. In the primary pfsense instance I added an additional ip on the wan interface in AWS, then configured that ip as a virtual ip in pfsense, then used that virtual ip in a NAT rule. I did the same in the secondary pfsense instance, but with their respective ip address of that instance in the virtual ip and the NAT rule
The problem is, when primary pfsense syncs with secondary, the Nat rule in the secondary gets overwited with the virtual ip of the primary.
TO avoid this problem, Virtual ips should have the option to be treated as a unique instance interface ip address, for this to work, virtual ips should work as aliases, that way you can configure the nat rule with the alias in the primary pfsense and the rule will sync to the secondary pfsense with the alias but the virtual ip should not be synced, just as it works with interface ip address.
Updated by Jim Pingle about 3 years ago
- Status changed from New to Rejected
- Priority changed from High to Normal
- Target version deleted (
22.01) - Plus Target Version deleted (
22.01)
That is not a valid or supported use case of XMLRPC sync. XMLRPC config sync is intended for HA, and that isn't valid in HA. In a proper HA setup it would be using a shared CARP VIP, not separate IP aliases.
You could disable the synchronization of NAT rules and handle them manually.
Updated by Gerald Jimenez about 3 years ago
Jim Pingle wrote in #note-1:
That is not a valid or supported use case of XMLRPC sync. XMLRPC config sync is intended for HA, and that isn't valid in HA. In a proper HA setup it would be using a shared CARP VIP, not separate IP aliases.
You could disable the synchronization of NAT rules and handle them manually.
We are not using the virtual ips for HA, for HA we use external solution to redirect traffic to the primary pfsense wan ip address and if it goes offline it redirects the traffic to the secondary pfsense.
We use virtual ips to add a secondary wan ip address.
Updated by Jim Pingle about 3 years ago
Gerald Jimenez wrote in #note-2:
We are not using the virtual ips for HA, for HA we use external solution to redirect traffic to the primary pfsense wan ip address and if it goes offline it redirects the traffic to the secondary pfsense.
We use virtual ips to add a secondary wan ip address.
XMLRPC sync is only intended for CARP-based HA. Some other use cases may happen to function by accident, but they are not supported.
Updated by Gerald Jimenez about 3 years ago
The reason we are not using the default pfsense HA design is because you cannot use CARP virtual ip on AWS: https://forum.netgate.com/topic/122320/carp-on-aws