Netgate SG-1000 microFirewall

Author Topic: Only master gets software updates  (Read 141 times)

0 Members and 1 Guest are viewing this topic.

Offline jobe

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Only master gets software updates
« on: January 22, 2018, 06:46:54 am »
Hi everybody,
I have the following master/slave configuration:

Master IP: 192.168.1.51
Slave IP: 192.168.1.52
Virtual IP: 192.168.1.88

On the master node, if I check for updates, I receive a correct answer in a few seconds. On the slave, I receive a timeout. Only if I perform a CARP failover (so the slave becomes master) the slave can search for updates.
By performing a tcpdump on the internet gateway I noticed that both nodes use the shared IP 192.168.1.88 to connect to the internet, I do not see any connections coming from their private IPs .51 and .52. I suppose this is the cause of the issue, only the node that has .88 IP can correctly connect to the internet and receive updates. Is it normal? Or do I have some wrong configurations?

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21566
  • Karma: +1471/-26
    • View Profile
Re: Only master gets software updates
« Reply #1 on: January 22, 2018, 07:45:51 am »
Your outbound NAT rules must be incorrect. You likely have a source of "any" for the outbound NAT rules which map to your CARP VIP. This also causes traffic from the firewalls themselves to have NAT applied, which is not what you want.

Change the outbound NAT rules so they have a specific source of your local network(s). Using an alias helps keep those rules simple, even if it's a catch-all RFC1918 alias (192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8)
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline jobe

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Only master gets software updates
« Reply #2 on: January 23, 2018, 03:54:09 am »
Here is the current Outbound NAT configuration, that is set to 'Manual':

https://imgur.com/a/OxQfV

Lan is the 192.168.1.0/24 network, and WAN_ is the interface with the 193.x.x.x IP address. With this configuration, I have the problem reported in the first post. Do I need to add an additional rule?

Online viragomann

  • Hero Member
  • *****
  • Posts: 2692
  • Karma: +284/-1
    • View Profile
Re: Only master gets software updates
« Reply #3 on: January 23, 2018, 05:12:57 am »
You need an additional rule for pfSense itself like this:
interface: WAN
source: 127.0.0.0/8
dest: any
translation address: WAN address

Set this rule on the master, so it will be synced to slave.

Offline jobe

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Only master gets software updates
« Reply #4 on: February 05, 2018, 08:04:26 am »
Thank you for your answers. Everything worked using viragomann rule, in source I used "This firewall" instead of 127.0.0.0/8 and it worked anyway.