English Forums > High availability

DHCP Failover is stuck in funky states for some Interfaces/VLANs

(1/1)

pyrodex:
I've configured HA failover following https://www.thomas-krenn.com/en/wiki/OPNsense_HA_Cluster_configuration as a guide.

I've got four internal interfaces:


* LAN - 192.168.14.0/23
* IoT - 192.168.24.0/23
* DMZ - 192.168.220.0/24
* GUEST - 192.168.215.0/24
The firewalls are configured as so:


* Firewall A - ALL VLANS configured as .2
* Firewall B - ALL VLANS configured as .3
The .1 for each of those VLANs mentioned above is configured as a CARP  and that is working fine.

On the DHCP side I have the .3 configured as the failover peer IP for Firewall A and for Firewall B the .2 failover peer IP is configured. All of them have 255 as the failover split right now.

When this is all setup and the sync is done I noticed some of the DHCP sync peers don't fully work. When I check sockstat for dhcp ports listening/established it seems 2 of the 4 are in a SYN_SENT state and the other 2 are established and working.

It seems the DMZ and LAN subnets are the ones in the SYN_SENT state and not working as seen here:


--- Code: ---root@firewall:~ # sockstat -ss | grep dhcp
dhcpd    dhcpd      63054 4  dgram  -> /var/dhcpd/var/run/log
dhcpd    dhcpd      63054 5  stream /tmp/php-fastcgi.socket-1
dhcpd    dhcpd      63054 7  tcp4   192.168.215.2:519     192.168.215.3:8510                 ESTABLISHED
dhcpd    dhcpd      63054 14 udp4   *:67                  *:*
dhcpd    dhcpd      63054 15 tcp4   192.168.24.2:519      192.168.24.3:8511                  ESTABLISHED
dhcpd    dhcpd      63054 16 tcp4   192.168.215.2:519     *:*                                LISTEN
dhcpd    dhcpd      63054 18 tcp4   192.168.24.2:519      *:*                                LISTEN
dhcpd    dhcpd      63054 19 tcp4   192.168.220.2:52769   192.168.220.3:519                  SYN_SENT
dhcpd    dhcpd      63054 20 tcp4   192.168.220.2:520     *:*                                LISTEN
dhcpd    dhcpd      63054 21 tcp4   192.168.14.2:52770    192.168.14.3:519                   SYN_SENT
dhcpd    dhcpd      63054 22 tcp4   192.168.14.2:520      *:*                                LISTEN
root     syslog-ng  10178 20 dgram  /var/dhcpd/var/run/log
_dhcp    dhclient   65442 5  stream -> ??
_dhcp    dhclient   29199 5  stream -> ??
root@firewall:~ #

--- End code ---

I do know on the LAN and DMZ subnets I have "Deny unknown clients" enable but not sure if that is causing any issues but it is a weird situation and welcome any guidance and/or help.

Navigation

[0] Message Index

Go to full version