Upgrading High Availability Clusters

This page provides guidance on upgrading redundant firewalls (CARP, pfsync, XMLRPC config sync) across major versions of pfSense® software. Upgrading from one version to another generally follows the this procedure, exceptions are noted later in the page.

  • Review changelog/blog/upgrade guide

  • Take a backup from both nodes. Do not skip this step!

  • Upgrade secondary as described in the Upgrade Guide

  • Test secondary to be sure it is operating OK – expected packages present, services running, no obvious errors in logs, etc

  • Switch CARP to maintenance mode on primary from Status > CARP

  • Ensure traffic is still flowing properly and that the network is functional. If it is not, then exit maintenance mode on the primary, fix the secondary then try again.

  • Upgrade primary as described in the Upgrade Guide

  • Check primary to ensure it upgraded OK – expected packages present, services running, no obvious errors in logs, etc

  • Exit maintenance mode on primary

  • Test again

XMLRPC Config Sync Considerations

Upgrade either the primary or the secondary first, leaving the other on the older version until testing is complete.

Supported versions of pfSense software from the last several years properly check for and prevent unintentionally synchronizing data between incompatible versions.

pfsync considerations

The underlying pfsync protocol often changes between FreeBSD versions. Versions of pfSense software with a different base OS version of FreeBSD cannot sync their states between each other. Failover will still function, but not stateful failover so all existing connections will be dropped.

pfsync and Interface-bound States

States contain information about the interface to which they are bound. If the interfaces do not line up on both nodes then the states will not properly sync, for example if WAN is ix0 on one node and igb0 on the other.

Adding interfaces to LAGGs can work around this, since then the states would be bound to the lagg on each node rather than the underlying interface. For example, lagg0 on primary contains ix0, lagg0 on secondary contains igb0, but the states are on lagg0 for both so sync will function.

CARP considerations

CARP is generally the same between versions and will fail over and back as expected.