ping: sendto: Invalid argument on CARP BACKUP

Started by ajr, May 09, 2026, 07:37:28 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 09, 2026, 07:37:28 PM
This is version 26.1.5
On BACKUP box, all outgoing traffic is blocked.
tcpdump -n -e -ttt -i pflog0 does not show any related violations.
192.168.178.1 is DSL Router.

Seems to be a new problem with 26.x.
Any help appreciated.

ajr

Code Select
root@opn2:~/admin # ping 192.168.178.1
PING 192.168.178.1 (192.168.178.1): 56 data bytes
ping: sendto: Invalid argument
ping: sendto: Invalid argument
root@opn2:~ # ifconfig igb1
igb1: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN (wan)
options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,HWSTATS,MEXTPG>
ether 00:0d:b9:4f:fd:a1
inet 192.168.178.12 netmask 0xffffffff broadcast 192.168.178.12
inet 192.168.178.2 netmask 0xffffff00 broadcast 192.168.178.255 vhid 1
inet6 fe80::20d:b9ff:fe4f:fda1%igb1 prefixlen 64 scopeid 0x2
inet6 some_DTAG_IP6 prefixlen 64 autoconf pltime 1280 vltime 7200
inet6 fd77:8819:994b:0:20d:b9ff:fe4f:fda1 prefixlen 64 autoconf pltime 3600 vltime 7200
carp: BACKUP vhid 1 advbase 1 advskew 100
      peer 224.0.0.18 peer6 ff02::12
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
root@opn2:~ # pfctl -s nat
no nat proto carp all
nat on igb1 inet from ! <opn2_igb1_address> to any -> 192.168.178.2 port 1024:65535
nat on igb1 inet from <opn2_igb1_address> to any -> <opn2_igb1_address> port 1024:65535 round-robin
no rdr proto carp all
no rdr on igb0 proto tcp from any to (igb0) port = http
no rdr on igb0 proto tcp from any to (igb0) port = 44221
no rdr on igb0 proto tcp from any to (igb0) port = 44441
root@opn2:~ # tcpdump -nvs 300 -i igb1 not vrrp
tcpdump: listening on igb1, link-type EN10MB (Ethernet), snapshot length 300 bytes
16:20:29.133096 5c:6a:80:f5:84:a0 > ff:ff:ff:ff:ff:ff, Realtek unknown type 0x25
root@opn2:~ # route get 193.99.144.80
   route to: redirector.heise.de
destination: default
       mask: default
    gateway: 192.168.178.1
        fib: 0
  interface: igb1
      flags: <UP,GATEWAY,DONE,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0


May 09, 2026, 08:14:49 PM #1
You nat any traffic on WAN to the CARP VIP apart from the interface address. But the CARP VIP is naturally occupied by the master node, and the backup cannot use it.

Traffic from OPNsense itself might rather come from 127.0.0.0/8, however. So you have to nat this subnet to the WAN interface address.
Today at 09:41:54 AM #2
Quoteauthor=viragomann link=msg=266681 date=1778350489]
You nat any traffic on WAN to the CARP VIP apart from the interface address. But the CARP VIP is naturally occupied by the master node, and the backup cannot use it.
Exactly that is addressed by the 2 NAT rules.

QuoteTraffic from OPNsense itself might rather come from 127.0.0.0/8, however. So you have to nat this subnet to the WAN interface address.
tcpdump does not show any packets on the WAN interface so I do not know the sender address.
Today at 10:46:22 AM #3
Quote from: ajr on Today at 09:41:54 AMtcpdump does not show any packets on the WAN interface so I do not know the sender address.
Any source address in packets stemming from 127.0.0.0/8 is translated to the CARP VIP on the WAN due to your rule. So it's obvious the you cannot see any IP of this subnet.^^
Print
Go Up Pages1
User actions