OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: Andreas_ on October 25, 2017, 10:07:25 am

Title: outgoing CARP blocked
Post by: Andreas_ on October 25, 2017, 10:07:25 am: I have a pair of opnsense routers with CARP which haven't been updated for quite a time. They were running 17.1.2 fine with 16 VIFs defined on the WAN interface (since it's still impossible to define IP aliases on a VIF), and some more on the LAN and DMZ sides.

After upgrading both machines to 17.7.6 the backup machine does't receive CARP announcements any more on the WAN interface (other interfaces are ok), so it will switch to master (on WAN only), messing up traffic badly.

Checking on the master, I still see CARP announcements generated on the WAN if, but apparently they are not passed out. As soon as I pfctl -d the firewall, I can see CARP arriving at the secondary as well; pfctl -e and announcements are lost again.

I added explicit rules on the WAN interface, allowing CARP from the firewall, and even any traffic from the firewall, no result.

Any hint how to get CARP working again? I'm non-redundant now, giving me a bad feeling after I had a kernel crash on the master lately.

Regards
Andreas
Title: Re: outgoing CARP blocked
Post by: mimugmail on October 25, 2017, 12:58:21 pm: Quote from: Andreas_ on October 25, 2017, 10:07:25 am
I have a pair of opnsense routers with CARP which haven't been updated for quite a time. They were running 17.1.2 fine with 16 VIFs defined on the WAN interface (since it's still impossible to define IP aliases on a VIF), and some more on the LAN and DMZ sides.

This is btw possible since 17.7.4 or .5 I think.

Do you see blocked packets in filter.log?
Title: Re: outgoing CARP blocked
Post by: Andreas_ on October 25, 2017, 05:23:57 pm: <deviating>
Just tried: defining an IP Alias on a CARP interface isn't possible since the interface dropdown lists only physical interfaces.
If there's another way to reduce VIFs, didn't try to re-use a VIF (which according to man carp should happen behind the scenes), I'd love to know.
</deviating>

I didn't see blocked packages when filtering protocol=112 or protocol=carp, or blocked packages originating from the WAN interface. Still, they're dropped...
Title: Re: outgoing CARP blocked
Post by: mimugmail on November 09, 2017, 06:32:53 am: Please try this:

https://github.com/opnsense/plugins/issues/346#issuecomment-342887908
Title: Re: outgoing CARP blocked
Post by: Andreas_ on February 11, 2018, 03:40:25 pm: That patch, apparently, included in 18.1, doesn't fix my issue.
Despite pass-rules on any carp traffic on the interface and as floating rule, the backup won't receive carp packets until I disable fw on the master.