I have two Firewalls running OBSD 5.4 x64 that are both live and working
fine except that they are unable to ping each others IP address or the
gateway address while PF is enabled. If I quickly disable PF on the
FW-D=Backup then I am able to ping everything from that machine. I've
gone over everything I can think of but haven’t been able to figure this
out so thought I'd ask here.
FW-C = 192.168.xx.67 255.255.252.0 = Carp Master
FW-D = 192.168.xx.65 255.255.252.0 = Carp Backup
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:03
description: Carp 1 - Outside Iface
priority: 0
carp: BACKUP carpdev vlanxx vhid 3 advbase 1 advskew 10
groups: carp
status: backup
inet6 fe80::200:5eff:fe00:103%carp1 prefixlen 64 scopeid 0xa
inet 192.168.xx.62 netmask 0xfffffc00 broadcast 192.168.23.255
inet 192.168.xx.63 netmask 0xfffffc00 broadcast 192.168.23.255 = alias
inet 192.168.xx.64 netmask 0xfffffc00 broadcast 192.168.23.255 = alias
inet 192.168.xx.66 netmask 0xfffffc00 broadcast 192.168.23.255 = alias
inet 192.168.xx.70 netmask 0xfffffc00 broadcast 192.168.23.255 = alias
inet 192.168.xx.52 netmask 0xfffffc00 broadcast 192.168.23.255 = alias
Gateway = 192.168.xx.1
FW-C is active I can't disable PF on this server.
Neither FW-C or FW-D can ping the gateway when PF is enabled... If I
disable PF on FW-D then I can ping the gateway from FW-D.
Neither FW-C or FW-D can ping each others main IP (.67 or .65), If I
disable PF on FW-D then I can ping .65 & .67 from FW-D !!!
Neither firewall can ping main carp IP .62 but can ping all the aliases,
unless PF is disabled then it is ping able.
There are other machines on the 192.168.xx.x network and they can ping
all the IP's that FW-C & D have all the time...
Both firewalls have three nic's, one is dedicated for pfsync, the other
two are trunked and then there are two vlans on top of the trunk.
I stripped the PF.conf file on the down to as little as possible on the
backup firewall this afternoon figuring that it must be the PF file that
was wrong but I couldn't get it so that ping was replying. I've run
tcpdump on all the interfaces and have checked pflog0 for blocked
packets to no-avail :>(
If I am on FW-C and run ping 192.168.xx.65 then all I see on FW-D is the
echo request over and over again....
tcpdump -n -e -ttt -i vlan40
Jan 22 00:31:49.334032 00:0a:f7:3a:44:c4 00:0a:f7:3a:45:0c 0800 98:
192.168.xx.67 > 192.168.xx.65: icmp: echo request
If anyone can help then it would really be appreciated.
Thanks
Keith.
