mdns repeater in cluster ha setup

[spark5]

hi,
i have a strange problem with mdns.
we have  configured an opnsense cluster with multiple carp ips.
on 5 interface, we need mdns.

now, is see an client asking for mdns records.
after that, there is so much mdns traffic, like flooding/looping.

i think, the node1 gets the traffic and route it to the configured networks. now node2 gets also this traffic and doing the same.
so, what i see, is this here in tcpdump:

10:41:56.065513 IP 192.168.40.103.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.065526 IP 10.40.0.2.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.065588 IP 192.168.40.102.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.065647 IP 192.168.40.103.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.065721 IP 10.40.0.2.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.065777 IP 192.168.40.102.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.065880 IP 192.168.40.102.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.065888 IP 10.40.0.3.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.066001 IP 192.168.40.102.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.066010 IP 192.168.40.103.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.066093 IP 10.40.0.3.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)
10:41:56.066185 IP 10.40.0.2.5353 > 224.0.0.251.5353: 0 PTR (QM)? _services._dns-sd._udp.local. (46)

10.40.0.2,3 and 192.168.40.102,3 are the two firewall nodes in seperate networks.

if i stop the mdns on node 2, the loop traffic stops and everything is working fine.

so, i think, the mdns should be run as an cluster service, only active on the master node.

am i wrong? i did not found anything in the forum.
can somebody help me please?

thanks and kind regards,
ronny

[spark5]

nobody any idea?

is it possible to start an service via carp ha? so that this service is only running on the master node.

kind regards,
ronny

[hbc]

There exists a syshook for carp events.

https://wiki.opnsense.org/development/backend/autorun.html

Just create a script that only starts mdns proxy on master and stops on backup.

[spark5]

@hbc: thank you ... will have a look

now i'm interested, if i understood something wrong with mdns on cluster, or if this setup has a problem.

[hbc]

Well, it's multi-/broadcast. That means every node receives the packets and the cluster not only on active carp address. So every cluster node forwards the traffic to other segment.

[leprasmurf]

I've started messing with this issue on my HA config.

Experimenting with firewall rules to block the traffic from non-carp firewall interfaces, but haven't quite gotten there yet.

Either way, thank you for this information!

This is the WIP script for stopping the mdns-repeater on carp members for anyone else that comes across this thread.  Updating as I have time to test and fix.

Code Select Expand


#!/usr/bin/env bash

set -euo pipefail

if [ $( sysctl -a | awk '/net.inet.carp.allow/ {print $2}' ) -ne 1 ];
then
echo "Carp is not enabled";
exit 0;
fi

if [ ! -f /conf/config.xml ];
then
echo "Unable to find Opnsense config";
exit 1;
fi

DEMOTE=$( sysctl -a | awk '/net.inet.carp.demotion/ {print $2}' );
PREEMPT=$( sysctl -a | awk '/net.inet.carp.preempt/ {print $2}' );

if [ ${DEMOTE} -gt 0 ];
then
echo "Stopping MDNS Repeater on demoted CARP member";
service mdns-repeater stop
else
if [ ${PREEMPT} -eq 0 ];
then
echo "Stopping MDNS Repeater on non-primary CARP member";
service mdns-repeater stop
fi
fi