Core: Changes to aliases not transferred to backup node

Created on 16 Nov 2018 · 11Comments · Source: opnsense/core

When I add a new port to an alias the rules are reloaded on the MASTER but not transferred to the BACKUP node.
My workaround is to create an empty firewall rule, delete it and klick on "The firewall rule configuration has been changed... Apply changes" button.

# opnsense-version 
OPNsense 18.7.7 (amd64/OpenSSL)

support

Source

fbrendel

Most helpful comment

People will forget to do the extra step.

To be honest, it never was flawless.

Maybe next year we could think a bit about the future of replication, our schedule is already quite full at the moment and I really want to think this through before changing anything.

AdSchellevis on 19 Nov 2018

👍2

All 11 comments

There's a patch hitting 18.7.8 (already on -devel) via https://github.com/opnsense/core/issues/2796 that helps deal with this and explains difficulties with syncing in general.

fichtner on 16 Nov 2018

Sorry but I can't see the difficulties here or I didn't understand the problem.

The patch is only half the solution. It only synchronizes the config.
Explicitly or not is open to dispute.
But I'm missing the reload of the rules on backup site too.

fbrendel on 16 Nov 2018

I have no intention of having a say in HA functionality, completely up to @AdSchellevis

fichtner on 16 Nov 2018

Reloading the firewall on the status page should do the trick:

We've chosen to not custom hook synchronisations in lots of spots of our codebase for multiple reasons.

AdSchellevis on 16 Nov 2018

The reload via status page works. :smiley:
Is it planned to automate this again?

fbrendel on 19 Nov 2018

Sorry, it's not planned and we're probably not going to. In the early days configurations synced on config writes, leading to massive slow-downs at some point. A kind of subscription model on specific events might work, but it's not very high on my list of things todo and in practice the config will likely still lag behind in some cases.

Ideally the xml-rpc sync should also be replaced by something else at some point in time to be more consistent with the new api structure.

AdSchellevis on 19 Nov 2018

Sorry, it's not planned and we're probably not going to.

But that would mean that you drop HA support.
CARP without automatic rule replication is useless.
People will forget to do the extra step.

Removing the xml-rpc sync is what I'd have suggested too.
Subscription sounds good. I'd pull the config transaction-based via API synchronous or asynchronous.
A locking mechanism is probably already there. See Monit :sunglasses:
And on top a centralized management system for all of our clusters would be the icing on the cake :smirk:

Since that's very important for us I'd like to help.

fbrendel on 19 Nov 2018

👍1

People will forget to do the extra step.

To be honest, it never was flawless.

Maybe next year we could think a bit about the future of replication, our schedule is already quite full at the moment and I really want to think this through before changing anything.

AdSchellevis on 19 Nov 2018

👍2

Then we should change the helptext of syncing Aliases (reference: https://forum.opnsense.org/index.php?topic=10698.msg48805#msg48805 )