Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Continuity

#1
Yes, now it work without problem.

Thankyou.

@xmillies, for me you can set this thread as resolved.
#2
More or less same problem:

A couple of DEC675 just arrived, put the business key, and when update we receive the error:

An API exception occurred

/usr/local/opnsense/mvc/app/controllers/OPNsense/Core/Api/FirmwareController.php:135: Unsupported operand types: int + string

Where i can find the fix, just to see if it apply to my case.

Here some more info:
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.10 at Mon Apr 15 13:09:55 UTC 2024
Fetching subscription information, please wait... done
Fetching changelog information, please wait... done
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: . done
Processing entries: .......... done
OPNsense repository update completed. 873 packages processed.
All repositories are up to date.
Updating database digests format: .......... done
New version of pkg detected; it needs to be installed first.
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
pkg: 1.19.2 -> 1.19.2_1

Number of packages to be upgraded: 1

4 MiB to be downloaded.
[1/1] Fetching pkg-1.19.2_1.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/1] Upgrading pkg from 1.19.2 to 1.19.2_1...
[1/1] Extracting pkg-1.19.2_1: .......... done
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (145 candidates): .......... done
Processing candidates (145 candidates): ....... done
The following 95 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
libpfctl: 0.8
openssl111: 1.1.1w
py39-pyasn1: 0.5.0
py39-pyasn1-modules: 0.3.0
py39-service-identity: 23.1.0
py39-typing-extensions: 4.9.0
squid-langpack: 7.0.0.20230225

Installed packages to be UPGRADED:
beep: 1.0_1 -> 1.0_2
choparp: 20150613 -> 20150613_1
curl: 8.3.0 -> 8.6.0
cyrus-sasl: 2.1.28 -> 2.1.28_1
easy-rsa: 3.1.6 -> 3.1.7
gettext-runtime: 0.22_1 -> 0.22.3
glib: 2.78.0,2 -> 2.78.3,2
ivykis: 0.42.4 -> 0.42.4_1
libfido2: 1.13.0 -> 1.14.0
libnet: 1.2,1 -> 1.3,1
libnghttp2: 1.56.0 -> 1.58.0
libpsl: 0.21.2_3 -> 0.21.2_4
libxml2: 2.10.4_1 -> 2.10.4_2
lighttpd: 1.4.71 -> 1.4.73
mpd5: 5.9_16 -> 5.9_17
nss: 3.93 -> 3.95
oniguruma: 6.9.8_1 -> 6.9.9
openssh-portable: 9.3.p2_1,1 -> 9.6.p1_1,1
openvpn: 2.6.6 -> 2.6.8_1
opnsense-business: 23.10 -> 23.10.3
opnsense-installer: 23.1 -> 24.1
opnsense-lang: 23.7.4 -> 23.7.11
opnsense-update: 23.7.4 -> 23.7.10_1
os-OPNBEcore: 1.2 -> 1.3
perl5: 5.34.1_3 -> 5.36.3_1
pftop: 0.8_4 -> 0.10
php82: 8.2.11 -> 8.2.14
php82-ctype: 8.2.11 -> 8.2.14
php82-curl: 8.2.11 -> 8.2.14
php82-dom: 8.2.11 -> 8.2.14
php82-filter: 8.2.11 -> 8.2.14
php82-gettext: 8.2.11 -> 8.2.14
php82-ldap: 8.2.11 -> 8.2.14
php82-mbstring: 8.2.11 -> 8.2.14
php82-pcntl: 8.2.11 -> 8.2.14
php82-pdo: 8.2.11 -> 8.2.14
php82-phpseclib: 3.0.23 -> 3.0.34
php82-session: 8.2.11 -> 8.2.14
php82-simplexml: 8.2.11 -> 8.2.14
php82-sockets: 8.2.11 -> 8.2.14
php82-sqlite3: 8.2.11 -> 8.2.14
php82-xml: 8.2.11 -> 8.2.14
php82-zlib: 8.2.11 -> 8.2.14
pkcs11-helper: 1.29.0 -> 1.29.0_1
py39-Babel: 2.13.0 -> 2.14.0
py39-aioquic: 0.9.21 -> 0.9.24
py39-anyio: 4.0.0 -> 4.2.0
py39-certifi: 2023.7.22 -> 2023.11.17
py39-charset-normalizer: 3.3.0 -> 3.3.2
py39-cryptography: 41.0.4,1 -> 41.0.7_2,1
py39-cython: 0.29.36 -> 0.29.37
py39-exceptiongroup: 1.1.3 -> 1.2.0
py39-h2: 4.0.0 -> 4.1.0
py39-httpcore: 0.18.0 -> 1.0.2
py39-httpx: 0.25.0 -> 0.26.0
py39-idna: 3.4_1 -> 3.6
py39-netaddr: 0.9.0 -> 0.10.1
py39-numexpr: 2.8.7 -> 2.8.8
py39-numpy: 1.25.0,1 -> 1.25.0_4,1
py39-outcome: 1.2.0 -> 1.3.0_1
py39-pylsqpack: 0.3.17 -> 0.3.18
py39-trio: 0.22.2 -> 0.24.0
py39-tzdata: 2023.3_1 -> 2023.4
py39-ujson: 5.8.0 -> 5.9.0
py39-urllib3: 1.26.17,1 -> 1.26.18,1
py39-yaml: 6.0 -> 6.0.1
readline: 8.2.1 -> 8.2.7
rrdtool: 1.8.0_2 -> 1.8.0_3
sqlite3: 3.43.1,1 -> 3.44.0_1,1
squid: 5.9 -> 6.6
strongswan: 5.9.11_2 -> 5.9.13
sudo: 1.9.14p3 -> 1.9.15p5
suricata: 6.0.14 -> 6.0.17
unbound: 1.18.0 -> 1.19.3
wpa_supplicant: 2.10_9 -> 2.10_10

Installed packages to be REINSTALLED:
cpdup-1.22 (direct dependency changed: openssl111)
cyrus-sasl-gssapi-2.1.28 (direct dependency changed: openssl111)
gmp-6.3.0 (option added: INFO)
hostapd-2.10_8 (direct dependency changed: openssl111)
isc-dhcp44-server-4.4.3P1 (direct dependency changed: openssl111)
krb5-1.21.2 (direct dependency changed: openssl111)
ldns-1.8.3 (direct dependency changed: openssl111)
libevent-2.1.12 (direct dependency changed: openssl111)
monit-5.33.0 (direct dependency changed: openssl111)
ntp-4.2.8p17_1 (direct dependency changed: openssl111)
openldap26-client-2.6.6 (direct dependency changed: openssl111)
python39-3.9.18 (direct dependency changed: openssl111)
syslog-ng-4.4.0 (direct dependency changed: openssl111)

Number of packages to be installed: 7
Number of packages to be upgraded: 75
Number of packages to be reinstalled: 13

The process will require 19 MiB more space.
93 MiB to be downloaded.
***DONE***


QuoteType    opnsense-business    
Version    23.10    
Architecture    amd64    
Commit    763f01ff8    
Mirror    https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:13:amd64/23.10    
Repositories    OPNsense    
Updated on    Wed Oct 25 15:11:46 UTC 2023    
Checked on    N/A


Edit, just to know

I did a pkg update, pkg upgrade from cli, now from gui it say the software is up to date, and problem persist.
#3
Hi all
Finally we found the mistake.

We set the carp address as a /32. You can see the netmask as 0xffffffff.
We do it because there is no meaning in put the carp address as a /24.
The interfaces address already have the netmast, and that is sufficient for create the routing entry for "ethernet reachable" addresses.

But on the code there is this control:
if (ip_in_subnet($dhcpifconf['failover_peerip'], "{$carp_nw}/{$vipent['subnet_bits']}")) {

this verify that the failover ip is in the carp network, but if the carp network is /32, it is false and both the dhcp goes to "slave mode".


So for now, use the same netmask on carp and on interfaces address. Imho this control doesn't have much sense.
Because imho there is no need for the carp address to be in the same network of the failover ip. Maybe is better to check the failover with the interface addresses... But this is another story.

Could you share your opinion about this ?

Best Regards


#4
Hi all

I think this is a bug/issue, but maybe you can see a misconfiguration.

2 firewall in cluster, each with 6 interface:
- igb0 between the firewalls, for pfsync;
- igb1 used as emergency, I can connect a pc here and manage the firewall in worst case scenario.
- igb2->5 aggregated as lagg0 to the switch

on lagg0 there are all the vlan we need.

At the end the ifconfig output.

The dhcp server is on 2 vlan, vlan1 and vlan3.

The clients don't take the IP from dhcp, litterally they don''t receive any response from dhcp servers (wireshark).

The log file was full of
2022-08-19T17:17:27 Error dhcpd DHCPDISCOVER from 0a:c4:ad:4b:47:fd via vlan03: peer holds all free leases
2022-08-19T17:17:26 Error dhcpd DHCPDISCOVER from 68:f7:28:fc:c9:f3 via vlan01: peer holds all free leases
2022-08-19T17:17:16 Error dhcpd DHCPDISCOVER from 68:f7:28:fc:c9:f3 via vlan01: peer holds all free leases


Looking aroud (can't remember really how) I found that the dhcp servers could not comunicate eachother.
The firewall rule auto-generated is in place, and also there is another manual rule who permit the traffic between firewalls on port 520 and 519 TCP.

But looking at listening port there is the mistake, both dhcp daemon was listening on port 520.

root@fw-slave:~ # netstat -na
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)   
[...]
tcp4       0      0 10.203.1.252.520       *.*                    LISTEN     
tcp4       0      0 10.203.5.252.520       *.*                    LISTEN     
[...]


A packet capture let me see that the secondary was trying to open a tcp connection on port 519 of the primary, but primary was listening on port 520.

Looking at file /var/dhcpd/etc/dhcpd.conf, both config was to listen on 520. At the end the file of slave for reference.

So as workaround i modified the /usr/local/etc/inc/plugins.inc.d/dhcpd.inc on master for let it know it is master:

root@fw-master:~ # grep -B3 -A35 ZETSU /usr/local/etc/inc/plugins.inc.d/dhcpd.inc

        if (!empty($dhcpifconf['failover_peerip'])) {
            $intip = get_interface_ip($dhcpif, $ifconfig_details);
            /* ZETSU $failover_primary = false; */
            $failover_primary = true;
            if (!empty($config['virtualip']['vip'])) {
                foreach ($config['virtualip']['vip'] as $vipent) {
                    if ($vipent['interface'] == $dhcpif) {
                        $carp_nw = gen_subnet($vipent['subnet'], $vipent['subnet_bits']);
                        if (ip_in_subnet($dhcpifconf['failover_peerip'], "{$carp_nw}/{$vipent['subnet_bits']}")) {
                            /* this is the interface! */
                            if (is_numeric($vipent['advskew']) && (intval($vipent['advskew']) < 20)) {
                                $failover_primary = true;
                            }
                            break;
                        }
                    }
                }
            } else {
                log_error('Warning! DHCP Failover setup and no CARP virtual IPs defined!');
            }
            $dhcpdconf_pri = "";
            if ($failover_primary) {
                $my_port = "519";
                $peer_port = "520";
                $type = "primary";
                $dhcpdconf_pri  = "split 128;\n";
                if (isset($dhcpifconf['failover_split'])) {
                    $dhcpdconf_pri  = "split {$dhcpifconf['failover_split']};\n";
                }
                $dhcpdconf_pri .= "  mclt 600;\n";
            } else {
                $type = "secondary";
                $my_port = "520";
                $peer_port = "519";
            }


I have not take the time to read and understand the if statement.
So the question is:
Why it decide the master is not master ?


ifconfig on primary
root@fw-master:~ # ifconfig
igb0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: Cluster
        options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
        ether 00:30:18:01:6c:28
        inet 10.203.0.1 netmask 0xfffffff8 broadcast 10.203.0.7
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: Emergency
        options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
        ether 00:30:18:01:6c:29
        inet 192.168.23.253 netmask 0xffffff00 broadcast 192.168.23.255
        media: Ethernet autoselect
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb2: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
        ether 00:30:18:01:6c:2a
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb3: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
        ether 00:30:18:01:6c:2a
        hwaddr 00:30:18:01:6c:2b
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb4: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
        ether 00:30:18:01:6c:2a
        hwaddr 00:30:18:01:6c:2c
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb5: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
        ether 00:30:18:01:6c:2a
        hwaddr 00:30:18:01:6c:2d
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
enc0: flags=0<> metric 0 mtu 1536
        groups: enc
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=20100<PROMISC,PPROMISC> metric 0 mtu 33160
        groups: pflog
pfsync0: flags=41<UP,RUNNING> metric 0 mtu 1500
        pfsync: syncdev: igb0 syncpeer: 10.203.0.2 maxupd: 128 defer: off
        syncok: 1
        groups: pfsync
lagg0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
        ether 00:30:18:01:6c:2a
        laggproto lacp lagghash l2,l3,l4
        laggport: igb2 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
        laggport: igb3 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
        laggport: igb4 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
        laggport: igb5 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
        groups: lagg
        media: Ethernet autoselect
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan01: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: Management
        options=4000000<NOMAP>
        ether 00:30:18:01:6c:2a
        inet 10.203.5.253 netmask 0xffffff00 broadcast 10.203.5.255
        inet 10.203.5.254 netmask 0xffffffff broadcast 10.203.5.254 vhid 3
        groups: vlan
        carp: MASTER vhid 3 advbase 1 advskew 0
        vlan: 5 vlanproto: 802.1q vlanpcp: 0 parent interface: lagg0
        media: Ethernet autoselect
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan02: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN
        options=4000000<NOMAP>
        ether 00:30:18:01:6c:2a
        inet 192.168.0.213 netmask 0xffffff00 broadcast 192.168.0.255
        inet 192.168.0.254 netmask 0xffffffff broadcast 192.168.0.254 vhid 4
        groups: vlan
        carp: MASTER vhid 4 advbase 1 advskew 0
        vlan: 2 vlanproto: 802.1q vlanpcp: 0 parent interface: lagg0
        media: Ethernet autoselect
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan03: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: Ospiti
        options=4000000<NOMAP>
        ether 00:30:18:01:6c:2a
        inet 10.203.1.253 netmask 0xffffff00 broadcast 10.203.1.255
        inet 10.203.1.254 netmask 0xffffffff broadcast 10.203.1.254 vhid 1
        groups: vlan
        carp: MASTER vhid 1 advbase 1 advskew 0
        vlan: 4 vlanproto: 802.1q vlanpcp: 0 parent interface: lagg0
        media: Ethernet autoselect
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan04: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN
        options=4000000<NOMAP>
        ether 00:30:18:01:6c:2a
        inet [snip...] netmask 0xfffffff8 broadcast 185.100.109.151
        inet [snip...] netmask 0xfffffffc broadcast 185.100.109.151 vhid 2
        groups: vlan
        carp: MASTER vhid 2 advbase 1 advskew 0
        vlan: 99 vlanproto: 802.1q vlanpcp: 0 parent interface: lagg0
        media: Ethernet autoselect
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
ovpns1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 192.168.203.1 --> 192.168.203.2 netmask 0xfffffff8
        groups: tun openvpn
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        Opened by PID 54350
ovpns2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 192.168.203.33 --> 192.168.203.34 netmask 0xffffffe0
        groups: tun openvpn
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        Opened by PID 93215
root@fw-master:~ #


ifconfig on secondary
root@fw-slave:~ # ifconfig
igb0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: Cluster
        options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
        ether 00:30:18:01:66:b2
        inet 10.203.0.2 netmask 0xfffffff8 broadcast 10.203.0.7
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: Emergency
        options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
        ether 00:30:18:01:66:b3
        inet 192.168.23.252 netmask 0xffffff00 broadcast 192.168.23.255
        media: Ethernet autoselect
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb2: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
        ether 00:30:18:01:66:b4
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb3: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
        ether 00:30:18:01:66:b4
        hwaddr 00:30:18:01:66:b5
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb4: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
        ether 00:30:18:01:66:b4
        hwaddr 00:30:18:01:66:b6
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb5: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
        ether 00:30:18:01:66:b4
        hwaddr 00:30:18:01:66:b7
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
enc0: flags=0<> metric 0 mtu 1536
        groups: enc
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
pfsync0: flags=0<> metric 0 mtu 1500
        groups: pfsync
pflog0: flags=20100<PROMISC,PPROMISC> metric 0 mtu 33160
        groups: pflog
lagg0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
        ether 00:30:18:01:66:b4
        laggproto lacp lagghash l2,l3,l4
        laggport: igb2 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
        laggport: igb3 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
        laggport: igb4 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
        laggport: igb5 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
        groups: lagg
        media: Ethernet autoselect
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan01: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: Management
        options=4000000<NOMAP>
        ether 00:30:18:01:66:b4
        inet 10.203.5.252 netmask 0xffffff00 broadcast 10.203.5.255
        inet 10.203.5.254 netmask 0xffffffff broadcast 10.203.5.254 vhid 3
        groups: vlan
        carp: BACKUP vhid 3 advbase 1 advskew 100
        vlan: 5 vlanproto: 802.1q vlanpcp: 0 parent interface: lagg0
        media: Ethernet autoselect
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan02: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN
        options=4000000<NOMAP>
        ether 00:30:18:01:66:b4
        inet 192.168.0.212 netmask 0xffffff00 broadcast 192.168.0.255
        inet 192.168.0.254 netmask 0xffffffff broadcast 192.168.0.254 vhid 4
        groups: vlan
        carp: BACKUP vhid 4 advbase 1 advskew 100
        vlan: 2 vlanproto: 802.1q vlanpcp: 0 parent interface: lagg0
        media: Ethernet autoselect
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan03: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: Ospiti
        options=4000000<NOMAP>
        ether 00:30:18:01:66:b4
        inet 10.203.1.252 netmask 0xffffff00 broadcast 10.203.1.255
        inet 10.203.1.254 netmask 0xffffffff broadcast 10.203.1.254 vhid 1
        groups: vlan
        carp: BACKUP vhid 1 advbase 1 advskew 100
        vlan: 4 vlanproto: 802.1q vlanpcp: 0 parent interface: lagg0
        media: Ethernet autoselect
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan04: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN
        options=4000000<NOMAP>
        ether 00:30:18:01:66:b4
        inet [snip...] netmask 0xfffffff8 broadcast 185.100.109.151
        inet [snip...] netmask 0xfffffffc broadcast 185.100.109.151 vhid 2
        groups: vlan
        carp: BACKUP vhid 2 advbase 1 advskew 100
        vlan: 99 vlanproto: 802.1q vlanpcp: 0 parent interface: lagg0
        media: Ethernet autoselect
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
ovpns1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 192.168.203.1 --> 192.168.203.2 netmask 0xfffffff8
        groups: tun openvpn
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        Opened by PID 30516
ovpns2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 192.168.203.33 --> 192.168.203.34 netmask 0xffffffe0
        groups: tun openvpn
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        Opened by PID 30997


DHCP config file of secondary.
root@fw-slave:~ # cat /var/dhcpd/etc/dhcpd.conf
option domain-name "dave.lan";
option ldap-server code 95 = text;
option arch code 93 = unsigned integer 16; # RFC4578
option pac-webui code 252 = text;

default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
one-lease-per-client true;
deny duplicates;
ping-check true;
update-conflict-detection false;
authoritative;
failover peer "dhcp_opt4" {
  secondary;
  address 10.203.1.252;
  port 520;
  peer address 10.203.1.253;
  peer port 519;
  max-response-delay 10;
  max-unacked-updates 10;
 
  load balance max seconds 3;
}

failover peer "dhcp_opt2" {
  secondary;
  address 10.203.5.252;
  port 520;
  peer address 10.203.5.253;
  peer port 519;
  max-response-delay 10;
  max-unacked-updates 10;
 
  load balance max seconds 3;
}


subnet 10.203.1.0 netmask 255.255.255.0 {
  pool {
    option domain-name-servers 10.203.1.254;
    deny dynamic bootp clients;
    failover peer "dhcp_opt4";
    range 10.203.1.100 10.203.1.199;
  }

  option routers 10.203.1.254;
  option domain-name-servers 10.203.1.254;

}

subnet 10.203.5.0 netmask 255.255.255.0 {
  pool {
    option domain-name-servers 10.203.5.254;
    deny dynamic bootp clients;
    ignore-client-uids true;
    failover peer "dhcp_opt2";
    range 10.203.5.100 10.203.5.109;
  }

  option routers 10.203.5.254;
  option domain-name-servers 10.203.5.254;

}