Messages

Hello there,

I have a strange behaviour with the openvpn (connection from windows openvpn gui).

When I use it and after some time, I got plenty of timeout. If I wait few seconds it came back for few minutes.

I tested from differente locations and my internet connection is working even during the timeout.

I can't see anything on the firewall side and on the log. I restart sometimes the process openvpn and it works again for few minutes (sometimes 5, sometimes 30).

Do you have any idea of what's going on ?

I'm on the opnsense 15.7.16.

Thank you.

I saw that there is 4 modes of load balancing in the Carp protocol.

Is there anyway that I can manage which mode is activated ? it seems to be activated by default on arp but for some environment ip or ip-stealth can be better.

Thank you

Does my switchs should be VRRP aware or I can use a basic switch ?

This is the exactly the situation I test.

[vm, client]   -->  [master, vip] --> outside world
                           [slave, vip]   --> outside world

I didn't test the ping but the rest works (browsing internet, DNS resolution...).

Nope only the firewall are using CARP. There is no VRRP configured anywhere on my architecture

The thing is the arp resolution seems not working. The mac address associated to the VIP address stay  00-00-5e-00-01-01 on the VM as it does not receive any answer to it first arp request.

If I add manually the MAC address of the master network carp, everything is working.

I know that my setup is complicated but I can't undo everything and test it. I can't start from begining as I have some service in production. Sorry :-(

I did more tests today and I would like to have your idea on my result.  I think I found the trouble.

I created a complete lab as I understood from your previous post. So I added a VM on windows behind my two firewall and here the results

If I add the IP of the network card of my firewalls as the gateway, the VM can browse internet without any trouble.
If I add the VIP of the CARP protocol as the gateway, nothing works anymore.

If I look deeper, I can see that the ARP resolution is not working. The mac associated to the VIP in my arp table on the VM is  00-00-5e-00-01-01.

If I do a tcpdump on the firewall side, I can see a request for the MAC for the IP of my VIP but the firewall does not answer (it's the master).

If I manually add the real MAC address of the network card of my master firewall in the arp table, everything works.

If I switch off the master interface, the master carp go to the secondary correctly but I need to add the new mac address manually. Once done, everything works perfectly.

So all the issue seems to be related to resolution of the MAC address at the first time. The strange thing is if I use IP Alias I don't have this issus and the ifconfig seems to be okay.

Code Select Expand

lagg0_vlan1001: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:90:fa:9d:29:d8
        inet6 fe80::290:faff:fe9d:29d8%lagg0_vlan1001 prefixlen 64 scopeid 0x15
        inet 192.168.111.2 netmask 0xffffff00 broadcast 192.168.111.255
        inet 192.168.111.3 netmask 0xffffff00 broadcast 192.168.111.255 vhid 1
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: active
        vlan: 1001 parent interface: lagg0
        carp: MASTER vhid 1 advbase 1 advskew 100

Any idea for me ?

Thank you !

Thank you for yours precisions.

I will have a complete test and no only test with Ping.

You're welcome. Please let me know when you will fix it (or maybe it will be added to the changelog).

Have a nice day

Hello,

I'm on the OPNsense 15.7.15-amd64. I have an issu with the IP alias.

I created an VIP IP Alias :



On the FreeBSD side, there is no VIP:

Code Select Expand

cns : flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:90:fa:9d:29:d8
        inet6 fe80::290:faff:fe9d:29d8%lagg0_vlan2010 prefixlen 64 scopeid 0x13
        inet 10.20.201.14 netmask 0xfffffff0 broadcast 10.20.201.15
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: active
        vlan: 2010 parent interface: lagg0

If I need it, I must add it through command line :

ifconfig cns 10.20.201.10 255.255.255.240 alias

I also notice that I can't choose anymore the mask size related to the IP when I create the IP Alias through the interface.

Is-it normal ?

Thank you.
Romain

Thank for your time and help me on this matter.

I don't understand what you mean by "the machine must use its real IP address when talking to the outside"
Can you be more detailed ?

Thank you again

Thank you for your assistance !!!

Do I need to reboot after as everything is in prod ?

Hello,

I'm a little bit worry. I was creating a new alias and a new nat and everything was fine.

Now if I go to Alias session, everything is empty.

I didn't apply my last nat and all my service are still up and running.

What's going on ?   :-\ :'(

Thank you for your help

Thank you. I can have a look with emulex too.

Do you have any clue on what's going on (if I can be more precise) ?

Have a nice day and thank you again

It's just to test the setup because if I add a machine I can't reach the gateway correctly. So I tried with a ping and saw that the vlan ID is not tagged in.

Here we go :

Code Select Expand


root@FW1:~ # ifconfig
oce0: flags=8143<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> metric 0 mtu 1500
        options=502bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO6,VLAN_HWFILTER,VLAN_HWTSO>
        ether 00:90:fa:9d:29:00
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (10Gbase-SR <full-duplex>)
        status: active
oce1: flags=8143<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> metric 0 mtu 1500
        options=502bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO6,VLAN_HWFILTER,VLAN_HWTSO>
        ether 00:90:fa:9d:29:00
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (10Gbase-SR <full-duplex>)
        status: active
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
        ether 0c:c4:7a:32:5b:c8
        inet 1.1.1.213 netmask 0xfffffff0 broadcast 1.1.1.223
        inet6 fe80::ec4:7aff:fe32:5bc8%igb0 prefixlen 64 scopeid 0x3
        inet 1.1.1.212 netmask 0xfffffff0 broadcast 1.1.1.223
        inet 1.1.1.215 netmask 0xfffffff0 broadcast 1.1.1.223
        inet 1.1.1.216 netmask 0xfffffff0 broadcast 1.1.1.223
        inet 1.1.1.217 netmask 0xfffffff0 broadcast 1.1.1.223
        inet 1.1.1.218 netmask 0xfffffff0 broadcast 1.1.1.223
        inet 1.1.1.219 netmask 0xffffffff broadcast 1.1.1.219
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
        ether 0c:c4:7a:32:5b:c9
        inet 192.168.12.1 netmask 0xfffffff8 broadcast 192.168.12.7
        inet6 fe80::ec4:7aff:fe32:5bc9%igb1 prefixlen 64 scopeid 0x4
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
igb2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=503bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWFILTER,VLAN_HWTSO>
        ether 0c:c4:7a:32:5b:ca
        inet6 fe80::ec4:7aff:fe32:5bca%igb2 prefixlen 64 scopeid 0x5
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: no carrier
igb3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=500bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,VLAN_HWTSO>
        ether 0c:c4:7a:32:5b:cb
        inet6 fe80::ec4:7aff:fe32:5bcb%igb3 prefixlen 64 scopeid 0x6
        inet 192.168.13.101 netmask 0xffffff80 broadcast 192.168.13.127
        inet 192.168.13.100 netmask 0xffffff80 broadcast 192.168.13.127
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
pflog0: flags=100<PROMISC> metric 0 mtu 33160
pfsync0: flags=41<UP,RUNNING> metric 0 mtu 1500
        pfsync: syncdev: igb1 syncpeer: 192.168.12.2 maxupd: 128 defer: off
enc0: flags=0<> metric 0 mtu 1536
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lagg0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=502bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO6,VLAN_HWFILTER,VLAN_HWTSO>
        ether 00:90:fa:9d:29:00
        inet6 fe80::290:faff:fe9d:2900%lagg0 prefixlen 64 scopeid 0xb
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: active
        laggproto failover lagghash l2,l3,l4
        laggport: oce1 flags=0<>
        laggport: oce0 flags=5<MASTER,ACTIVE>
lagg0_vlan1001: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=203<RXCSUM,TXCSUM,TSO6>
        ether 00:90:fa:9d:29:00
        inet6 fe80::290:faff:fe9d:2900%lagg0_vlan1001 prefixlen 64 scopeid 0x16
        inet 192.168.111.1 netmask 0xffffff00 broadcast 192.168.111.255
        inet 192.168.111.3 netmask 0xffffff00 broadcast 192.168.111.255 vhid 1
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: active
        vlan: 1001 parent interface: lagg0
        carp: MASTER vhid 1 advbase 1 advskew 0
ovpns1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet6 fe80::ec4:7aff:fe32:5bc8%ovpns1 prefixlen 64 scopeid 0x17
        inet 2.2.2.1 --> 2.2.2.2 netmask 0xffffffff
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 26324
ovpns2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet6 fe80::ec4:7aff:fe32:5bc8%ovpns2 prefixlen 64 scopeid 0x18
        inet 2.2.2.1 --> 2.2.2.2 netmask 0xffffffff
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 30019


Code Select Expand


root@FW2:~ # ifconfig
oce0: flags=8143<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> metric 0 mtu 1500
        options=400a8<VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
        ether 00:90:fa:9d:29:d8
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (10Gbase-SR <full-duplex>)
        status: active
oce1: flags=8143<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> metric 0 mtu 1500
        options=400a8<VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
        ether 00:90:fa:9d:29:d8
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (10Gbase-SR <full-duplex>)
        status: active
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
        ether 0c:c4:7a:32:63:f4
        inet 1.1.1.214 netmask 0xfffffff0 broadcast 1.1.1.223
        inet6 fe80::ec4:7aff:fe32:63f4%igb0 prefixlen 64 scopeid 0x3
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
        ether 0c:c4:7a:32:63:f5
        inet 192.168.12.2 netmask 0xfffffff8 broadcast 192.168.12.7
        inet6 fe80::ec4:7aff:fe32:63f5%igb1 prefixlen 64 scopeid 0x4
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
igb2: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO>
        ether 0c:c4:7a:32:63:f6
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: no carrier
igb3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=a8<VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM>
        ether 0c:c4:7a:32:63:f7
        inet6 fe80::ec4:7aff:fe32:63f7%igb3 prefixlen 64 scopeid 0x6
        inet 192.168.13.102 netmask 0xffffff80 broadcast 192.168.248.127
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
pflog0: flags=100<PROMISC> metric 0 mtu 33160
pfsync0: flags=41<UP,RUNNING> metric 0 mtu 1500
        pfsync: syncdev: igb1 syncpeer: 192.168.12.1 maxupd: 128 defer: off
enc0: flags=0<> metric 0 mtu 1536
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lagg0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=400a8<VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
        ether 00:90:fa:9d:29:d8
        inet6 fe80::290:faff:fe9d:29d8%lagg0 prefixlen 64 scopeid 0xb
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: active
        laggproto failover lagghash l2,l3,l4
        laggport: oce1 flags=0<>
        laggport: oce0 flags=5<MASTER,ACTIVE>
lagg0_vlan1001: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:90:fa:9d:29:d8
        inet6 fe80::290:faff:fe9d:29d8%lagg0_vlan1001 prefixlen 64 scopeid 0x15
        inet 192.168.111.2 netmask 0xffffff00 broadcast 192.168.111.255
        inet 192.168.111.3 netmask 0xffffff00 broadcast 192.168.111.255 vhid 1
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: active
        vlan: 1001 parent interface: lagg0
        carp: BACKUP vhid 1 advbase 1 advskew 100
ovpns1: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ovpns2: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>


The strange thing is that I have VIP on others lagg interfaces and it's working well.