I have two identical boxes with pfsenseCE running on them. One is always left off until it’s time to update the main one at which point the goal was always to update the cold standby box then switch the wires over and update the new cold standby box. I have unused ports on both and I feel like there’s a logical way to be able to keep both on when needed and update the config of the cold standby from my management side. I just can’t wrap my head around how best to do this.
Again the boxes are identical so the interfaces have the same names and I believe that a straight config copy from one to the other would work. Do I just setup another private LAN and put a wire between them? In my mind the fact that the WAN ports and LAN side of each would have the same information would make getting from the “active” side to the “backup” problematic if I’m coming from a LAN that both think they control. If I had a third box I could test this but since one is my main border that can’t really be done without planned downtime.
pfsense has a sync feature to keep several online pfsence instances in sync for failover. I suppose that would satisfy your needs if you are OK with all instances being alive simultaneously.
I have had a similar setup in place, while my two boxes are very similar they are not identical. I’ve found that certificates don’t play nice especially with FreeRADIUS and I suspect OpenVPN too.
In your position I would keep my main box as is, then do a clean install of pfSense and import the config onto the backup. Doing this routine every time you do an update would be a good check to just make sure your backup is working too.
I’m pretty sure having two identical boxes on the same network with the same config is a bad idea. You could of course just change the WAN IP on the backup to a local IP, change that everytime you copy over the config XML.
Well I understand the various options that are available in that sense. In our situation we do want the standby box to be a cold standby. We have people who know what to do as far as power on and swapping specific cable ports if something requires it.
I’m trying to figure out the best practice (or maybe easiest way) to be able to have both on and connected at the same time to copy configs. The boxes don’t have a serial console so I was hoping utilizing one of the free gig ports would somehow work. Shouldn’t I be able to connect them and then allow access to each others admin via that network and at that point restore a config from my current “working” box after updates? If this will cause problems with openVPN then I will have to deal with that but everything else is fairly vanilla.
This sounds great. But again, the question is about whether there’s an easy way to make that happen where I can access each from my management LAN to do this when each will have pretty much the same config but on will have down interfaces other than a private net for the two.
Now I’m starting to think it will be easier if I throw another NIC in my management machine and simply swap that NIC’s connection from one to the other to update the cold/standby box.