Project

General

Profile

Actions

Regression #14189

open

pfBlocker-NG: HA-Sync is not working

Added by name name over 1 year ago. Updated about 2 months ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
pfBlockerNG
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
23.01
Affected Architecture:

Description

I'm not the only one with this problem.

See https://forum.netgate.com/topic/179060/pfblockerng-sync-not-working .

This is causing serious issues, as I made changes to the pfBlockerNG configuration after upgrading to pfSense+ 23.01 and now the firewall rules are synchronized, but not the tables generated by pfBlockerNG, leading to firewall errors on the backup pfSense installation.

Please create a System -> Patches patch to fix this as soon as possible.


Files

clipboard-202405311108-n6kth.png (138 KB) clipboard-202405311108-n6kth.png Danilo Zrenjanin, 05/31/2024 09:08 AM

Related issues

Related to Bug #12916: pfBlockerNG-devel cron job does not trigger xmlrpc syncNewViktor Gurov

Actions
Related to Feature #12918: pfBlockerNG-devel changes from xmlrpc sync do not take effect immediatelyNew

Actions
Has duplicate Bug #14220: pfBlockerNG does not sync to HA secondaryDuplicate

Actions
Actions #1

Updated by Jim Pingle over 1 year ago

  • Project changed from pfSense Plus to pfSense Packages
  • Category changed from XMLRPC to pfBlockerNG
  • Priority changed from Urgent to Normal
  • Release Notes deleted (Default)

Packages get updated directly, they don't get patches.

Also there is almost no detail here or on the linked forum post about what is happening. "It doesn't work" isn't helpful.

Actions #2

Updated by name name over 1 year ago

I understand, but I don't know what is "not" happening.

There are two choices when configuring Sync for pfBlockerNG:

  • Sync to configured system backup server
  • Sync to host(s) defined below

For the second option I have the same credentials as I used for the main HA Sync of pfSense, which is working.

Enabled: yes
Protocol: https
Target: 10.0.97.2
Username: admin
Password: ...

Both options, even though they get accepted by the UI when pressing "Save ...", lead to the same problem:

No replication of pfBlockerNG settings takes place, which is why both the one in the forum post and me said "It's not working", like at all. I don't get error messages, nothing in the Logs that I can see. Either the sync function is not even called or something isn't working right.

You change anything on the master pfSense and nothing changes on the backup pfSense.

I tried all available update options:

  • Update
  • Cron
  • Reload -> All

Nothing works.

So I can't really tell you why the xmlsync part of pfBlockerNG isn't working.

Actions #3

Updated by Jim Pingle over 1 year ago

  • Has duplicate Bug #14220: pfBlockerNG does not sync to HA secondary added
Actions #4

Updated by Marcos M over 1 year ago

  • Status changed from New to Duplicate

This issue has existed for some time unfortunately. It's covered by the following reports:
https://redmine.pfsense.org/issues/12916
https://redmine.pfsense.org/issues/12918

Edit: re-opened as it seems to be a related but separate issue.

Actions #5

Updated by Marcos M over 1 year ago

  • Is duplicate of Bug #12916: pfBlockerNG-devel cron job does not trigger xmlrpc sync added
Actions #6

Updated by Marcos M over 1 year ago

  • Is duplicate of Feature #12918: pfBlockerNG-devel changes from xmlrpc sync do not take effect immediately added
Actions #7

Updated by Marcos M over 1 year ago

  • Is duplicate of deleted (Bug #12916: pfBlockerNG-devel cron job does not trigger xmlrpc sync)
Actions #8

Updated by Marcos M over 1 year ago

  • Related to Bug #12916: pfBlockerNG-devel cron job does not trigger xmlrpc sync added
Actions #9

Updated by Marcos M over 1 year ago

  • Status changed from Duplicate to New
Actions #10

Updated by Marcos M over 1 year ago

  • Is duplicate of deleted (Feature #12918: pfBlockerNG-devel changes from xmlrpc sync do not take effect immediately)
Actions #11

Updated by Marcos M over 1 year ago

  • Related to Feature #12918: pfBlockerNG-devel changes from xmlrpc sync do not take effect immediately added
Actions #12

Updated by Steve Y over 1 year ago

Patch to fix the typo was posted at https://forum.netgate.com/post/1108304

Actions #13

Updated by dylan mendez over 1 year ago

Related: "Sync to configured backup server" option does not allow to Save without an IP address in the target below.

IP address does not need to be valid, the error shows up only when the space is blank.

Actions #14

Updated by Georgiy Tyutyunnik over 1 year ago

the typo fix patch from the forum thread does fix the Sync functional for pfBlockerNG
tested on
Version 23.05.1-RELEASE (amd64)
built on Wed Jun 28 03:57:27 UTC 2023
FreeBSD 14.0-CURRENT
pfBlockerNG version 3.2.0_5

Actions #16

Updated by Steve Y 8 months ago

Linking in https://forum.netgate.com/topic/179060/pfblockerng-sync-not-working/54 which says in part:

"All you need to do is to add the following at line 544 (which should be blank) to the pfblockerng.php file under /usr/local/www/pfblockerng/ :

pfblockerng_sync_on_changes(); // Sync config to HA slave @cron time to ensure config alignment
"

Actions #17

Updated by Danilo Zrenjanin 6 months ago

I defined GeoIP IPv4 entry for France on the Primary.

I can confirm that the configuration doesn't get replicated from the primary to the secondary node. Even after manually forcing updates on both primary and secondary.

Tested both options, Sync to configured system backup server and Sync to hosts defined below

pfBlockerNG-devel    net    3.2.0_10
24.03-RELEASE (amd64)
built on Wed Apr 24 19:38:00 CEST 2024
FreeBSD 15.0-CURRENT
Actions #18

Updated by Danilo Zrenjanin 6 months ago

  • Status changed from New to Confirmed
Actions #19

Updated by Danilo Zrenjanin 6 months ago

Actions #20

Updated by Danilo Zrenjanin 6 months ago

  • File deleted (clipboard-202405311108-kqkmu.png)
Actions

Also available in: Atom PDF