Messages

1

High availability / Re: CARP - UNICAST - HA SYNC ISSUE - yes or not?

« on: November 18, 2024, 12:26:04 am »

Issue on my interface after modifying the vhid group / it kepts two groups and got to reboot.

executing /usr/local/etc/rc.filter_synchronize pre_check_master
pre_check_master: backup mode, exit

helped me to understand.

regards,
BN

2

High availability / CARP - UNICAST - HA SYNC ISSUE - yes or not?

« on: November 14, 2024, 05:23:28 pm »

hi all,

this is a question to those who use the CAP in UNICAST since the 24_10 version:

the HA SYNC configuration tru cron isnt working anymore. Not even a error message.
I got this first when all CARP interface were not configured or active.

Has anyone this kind of issue?

thanks for help
Regards,

3

High availability / CARP UNICAST - ISSUE MAC AGEOUT

« on: November 14, 2024, 05:20:22 pm »

Hi all,

Regarding the usage of CARP (VRRP2) UNICAST, it appears that the Interface mac of the slave, when this last isnt soliciting by any other service, protocole or monitoring is aged out on the network.

Meaning that, any unicast CARP packets send from the master are flooding onto the network.

My immediate solution is to declare in static the mac of the slave for those interface.
I hesitated to use monit to ping the slave or something like this.

My asking would be to got a specific menu to send gratuitous arp from the interface GUI.


What do you think about it?

regards,

4

High availability / Re: opnsenseBE (OPNsense 24.10_7) still sending Multicast while all VIPs are Unicast

« on: November 14, 2024, 03:31:13 pm »

Hi,

From me, it means that your carp hasnt syncrhonized in unicast.
did you add the ACL to permit the trafic?

i dit sthg like this /maybe there is sthg easier:

create alias with all IP from master / create alias with all IP from SLAVE
floating ACL
any interface concerned
acl from master alias to slave alias
acl from slave alias to master alias

5

High availability / Re: CARP DHCP Cluster - Failover Split Ignored

« on: November 14, 2024, 03:06:47 pm »

Hie all,

Have you any idea regarding the split failover in ISC DHCP - while the param is synchronised and might should not be?
Could it be possible to exclude it from sync?

Regards,
James.

Could it be possible and not overrided by any code if modifying

like: if (isset($dhcpifconf['failover_peerip']) && $dhcpifconf['failover_peerip'] != '') {
if (isset($dhcpifconf['failover_split']) && $dhcpifconf['failover_split'] != '') {

> dont know the exact variable / just an exemple / but it would probably be overrided.

/usr/local/etc/rc.filter_synchronize

 // dhcpd, unchanged from legacy code (may need some inspection later)
    if (is_array($transport_data['dhcpd'])) {
        foreach($transport_data['dhcpd'] as $dhcpif => $dhcpifconf) {
            if (isset($dhcpifconf['failover_peerip']) && $dhcpifconf['failover_peerip'] != '') {
                $int = guess_interface_from_ip($dhcpifconf['failover_peerip']);
                $transport_data['dhcpd'][$dhcpif]['failover_peerip'] = get_interface_ip($int);

6

Virtual private networks / IPSEC CLIENT FAILOVER if no trafic source

« on: October 07, 2024, 11:51:04 pm »

GESTION DU FAILOVER IPSEC CLIENT


This script has been built from differents intel sources and added some adjustement.
It isnt perfect and might be unfinished for any use cases.

Context:
- IPSEC in client mode
- working uppon a carp IF, isnt capable to switch over when firewall are in master/backup mode
- if no trafic is coming from it.
- When the MASTER fails, the tunnel on the BACKUP stands down while it has previously give up after satying without any response.
This configuration components can make it.
- if you have no trafic source from the client
- if you dont want to create special rules coming from the client
If you want to improve it, welcome.
If i mistake, welcome for sharing.
I've been testing it tonight and it works in the usual case for the specified WAN interface and its VHID status.


I'm now looking for the way to send parameters from the cron job to the action module and then pass it to the script (wich is not describe here)
variables are:
CONN="con#" > connexion ID
VHID="vhid ###" > vhid ID


Ø IPSEC TUNNEL MODE CLIENT + IF CARP VIP

Ø SCRIPT+ACTION + CRON


SCRIPT

root@fw-slave:/usr/local/opnsense/service/conf/actions.d # cat /home/admin/script-monit/script-monit-carp-wan-ipsec.sh
#!/bin/sh
# TEST un CARP VHID ET AGIT SUR IPSEC SELON ETAT

CONN="con#"
VHID="vhid ###"

ifconfig -a | grep 'carp:' | grep -e "$VHID" > /dev/null
if [ $? = 0 ]; then carp_state="DISABLED" ; fi
ifconfig -a | grep 'carp:' | grep -e "$VHID" | grep BACKUP > /dev/null
if [ $? = 0 ]; then carp_state="BACKUP" ; fi
ifconfig -a | grep 'carp:' | grep -e "$VHID" | grep MASTER > /dev/null
if [ $? = 0 ]; then carp_state="MASTER" ; fi
ifconfig -a | grep 'carp:' | grep -e "$VHID" | grep INIT > /dev/null
if [ $? = 0 ]; then carp_state="INIT" ; fi

echo $carp_state

#exit

IPV4_REGEX="(([0-9][0-9]?|[0-1][0-9][0-9]|[2][0-4][0-9]|[2][5][0-5])\.){3}([0-9][0-9]?|[0-1][0-9][0-9]|[2][0-4][0-9]|[2][5][0-5])"



if [ $carp_state == "BACKUP" ]; then ipsec down $CONN ; fi
if [ $carp_state == "INIT" ]; then ipsec down $CONN ; fi

if [ $carp_state == "MASTER" ]; then
        #check if tunel exists
        ipsec statusall 2>&1 | grep -e "$CONN" > /dev/null 2>&1
        #Save the retuned status code
        tmp=$?
        #If tunnel exists
        if [ $tmp -eq 0 ]; then
                ipsec statusall | grep -e "$CONN" | grep -i "rekeying" > /dev/null 2>&1
                if [ $? -eq 0 ]; then
                        ipsec statusall | grep -e "$CONN" | grep -v "rekeying" | grep -E "$IPV4_REGEX" > /dev/null 2>&1

                        #If tunnel is up and match IP REGEX
                        if [ $? -eq 0 ]; then
                                echo "Tunnel $CONN look ok"
                                tunnel=0
                        fi
                else
                        echo "Tunnel $CONN not ESTABLISHED"
                        tunnel=1
                        ipsec down con1
                        wait 5
                        ipsec up con1
                fi
        else
                echo "Tunnel $CONN does not EXISTS"
                tunnel=2
                /usr/local/sbin/configctl ipsec start

        fi
echo $tunnel

fi



ACTION

root@fw-slave:/usr/local/opnsense/service/conf/actions.d # cat actions_ipsecfailover.conf

[check]
command:/home/admin/script-monit/script-monit-carp-wan-ipsec.sh
parameters:
type:script_output
message:Ipsec check and reload status and CARP
description: mon_failover_ipsec_carp


service configd restart
configctl ipsecfailover check


CRON

just select the action.
i made it working */5 minutes.
It does the trick during failover.


Looking now for something similar for the openvpn client tunnel wich could fail for some reason after few tries. The the process is stopped and the machine is lost.

Regards all,

James.