OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of panachoi »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - panachoi

Pages: [1]
1
High availability / Strange behavior, unable to get CARP to work properly
« on: June 13, 2024, 03:56:50 pm »
I've read through the forums, and although I've seen similar issues, none quite matches what I'm experiencing. I'm really at a loss to explain this behavior.

I've got a cluster that has 2  10G Intel (ix) interfaces, with various vlans on them. I'm actually only seeing issues on ONE of the vlans on ONE of the interfaces, all of the other vlans on both interfaces work as expected. Needless to say this  is causing issues with CARP.

Brief description:

On the ix0_vlanX interface, the firewalls cannot seem to ping each other. On the other (ix0_vlanY), ping works fine, each firewall can ping the other, and their shared CARP address.  I say seem because on the "broken" vlan interface I can see the request and reply packets, with tcpdump, but for some reason ping reports 100% packet loss.  From a different device on the same vlan(s), I can ping both firewalls and their shared CARP address.

igmp snooping is off on the switchports
only tagged vlans are on the switch ports (the ix0 interface has no address)

I'd be happy for any input as to what might be amiss, because I'm out of ideas at this point.

2
20.1 Legacy Series / HA Setup -- no name resolution on backup with private physical addresses
« on: September 04, 2020, 10:15:55 am »
I've got my OPNSense HA cluster working 95% failover works, except that after failing over to the backup, name resolution doesn't work at all. I notice that name resolution doesn't work on the backup even when the master is running. I'm starting to suspect that the reason for this is that I'm using RFC1918 private addresses for the physical interfaces themselves (would explain why name resolution doesn't work on the backup while the master is running), but I dont know why it still doesn't work when the failover happens and the backup becomes primary. Note that everything else works in this case, I can still originate connections from the inside by using the IP address explicitly.

I would think this would be a common configuration, as many people dont have enough Public IP space to use as physical addresses on their internet interface.

Have I missed something obvious ?

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2