OPNsense Forum

hi,
i have a strange problem with mdns.
we have  configured an opnsense cluster with multiple carp ips.
on 5 interface, we need mdns.

now, is see an client asking for mdns records.
after that, there is so much mdns traffic, like flooding/looping.

i think, the node1 gets the traffic and route it to the configured networks. now node2 gets also this traffic and doing the same.
so, what i see, is this here in tcpdump:

10:41:56.065513 IP 192.168.40.103.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.065526 IP 10.40.0.2.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.065588 IP 192.168.40.102.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.065647 IP 192.168.40.103.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.065721 IP 10.40.0.2.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.065777 IP 192.168.40.102.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.065880 IP 192.168.40.102.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.065888 IP 10.40.0.3.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.066001 IP 192.168.40.102.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.066010 IP 192.168.40.103.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.066093 IP 10.40.0.3.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.066185 IP 10.40.0.2.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)

10.40.0.2,3 and 192.168.40.102,3 are the two firewall nodes in seperate networks.

if i stop the mdns on node 2, the loop traffic stops and everything is working fine.

so, i think, the mdns should be run as an cluster service, only active on the master node.

am i wrong? i did not found anything in the forum.
can somebody help me please?

thanks and kind regards,
ronny

nobody any idea?

is it possible to start an service via carp ha? so that this service is only running on the master node.

kind regards,
ronny

There exists a syshook for carp events.

https://wiki.opnsense.org/development/backend/autorun.html (https://wiki.opnsense.org/development/backend/autorun.html)

Just create a script that only starts mdns proxy on master and stops on backup.

@hbc: thank you ... will have a look

now i'm interested, if i understood something wrong with mdns on cluster, or if this setup has a problem.

Well, it's multi-/broadcast. That means every node receives the packets and the cluster not only on active carp address. So every cluster node forwards the traffic to other segment.

I've started messing with this issue on my HA config.

Experimenting with firewall rules to block the traffic from non-carp firewall interfaces, but haven't quite gotten there yet.

Either way, thank you for this information!

This is the WIP script for stopping the mdns-repeater on carp members for anyone else that comes across this thread.  Updating as I have time to test and fix.


#!/usr/bin/env bash

set -euo pipefail

if [ $( sysctl -a | awk '/net.inet.carp.allow/ {print $2}' ) -ne 1 ];
then
echo "Carp is not enabled";
exit 0;
fi

if [ ! -f /conf/config.xml ];
then
echo "Unable to find Opnsense config";
exit 1;
fi

DEMOTE=$( sysctl -a | awk '/net.inet.carp.demotion/ {print $2}' );
PREEMPT=$( sysctl -a | awk '/net.inet.carp.preempt/ {print $2}' );

if [ ${DEMOTE} -gt 0 ];
then
echo "Stopping MDNS Repeater on demoted CARP member";
service mdns-repeater stop
else
if [ ${PREEMPT} -eq 0 ];
then
echo "Stopping MDNS Repeater on non-primary CARP member";
service mdns-repeater stop
fi
fi