The firewalls are several version late :
Description
Description
| Status | Assigned | Task | ||
|---|---|---|---|---|
| Migrated | gitlab-migration | T3194 Upgrade opnsense firewalls from 20.7.4 to 21.1.4 | ||
| Migrated | gitlab-migration | T3203 docs: Document the firewall installation and procedures |
Event Timeline
Comment Actions
Before starting the upgrade, we discovered 2 problem we had to fix:
- The backup had no access to internet we block the upgrade
- The master/backup switch was not working for 4 of the 8 VIPs
The #1 was due to a configuration changed on the master but not replicated on the backup: in Firewall / Settings / Advanced, the option Disable reply-to must be checked on both firewalls
For the #2 the skew value of several VIPS setting was too high so they were never elected as master. Reset all the values to 100 on the backup resolve the problem. For example (Interfaces / Virtual IPs / Settings / 128.93.166.40) :
Comment Actions
After solving the problem the upgrade was pretty smooth. The firewall perform the following steps:
- upgrade to the last current minor version of the current major branch
- upgrade to the first minor version of the next major branch
- upgrade to the last minor version ot the current major branch
The upgrade can be done without service disruption with this procedure:
- Upgrade the backup
- switch the vips to the backup (Interfaces / Virtual IPs / Enter Persistent CARP Maintenance Mode)
- check everything is still working
- upgrade the former master / new backup
- Reactive CARP (Interfaces / Virtual IPs / Leave Persistent CARP Maintenance Mode)
The firewalls are now on the same state (Master/Backup) as before the upgrade.
This is the status after the upgrade we performed:
