Re: [pfSense] CARP failover works but it only fails back the LAN
Steve, I have explicit multicast, network to network, and proto PFSYNC allow rules on my dedicated CARP interface, which MAY be unnecessary. And I remember the skew number being very picky, working correctly only in the 0 & 100 setting. At some point my CARP interfaces stopped getting out of sync, so I stopped troubleshooting. I do have 1 IP dedicated to each device + the CARP IP on each subnet and a dedicated direct cable between routers for CARP & sync traffic. My hardware is real, not virtual, so I hope that isn’t what’s hurting you. Good luck. ED. > On 2015, Mar 24, at 12:40 AM, Steve Yates wrote: > > I am not sure this is related but it is weird/bad...I got around to > setting the skew back to 0 for all CARP IPs on router1. pfSense (2.2.1) > syncs the change to router2 so those skews change from 101 to 100. However > afterwards router1 shows all five as Status of Master, and router2 shows all > five with a blank Status. I must edit each of the five, save (without making > changes) and only once changes are Applied the Status shows as Backup. That > sounds like a configuration sync bug? I did see this when setting the skew > from 0 to 1 earlier today and passed it off as I was clicking around a lot, > but it seems to be repeatable. > > -- > Steve > > > Steve Yates wrote on Mon, Mar 23 2015 at 2:50 pm: > >> Just ran into an odd scenario in my testbed...if pfSense (router1) is in a VM >> (Parallels Cloud/Virtuozzo), and I run "service network restart" on the host >> for >> that VM, pfSense fails over the WAN interface but does not fail over the LAN >> interface. At that point external communication is lost because one router >> is >> handling LAN and one WAN. It does not seem to recover afterwards until the >> host is restarted (we're also using VLANs on the host level for the pfSense >> VM >> to use for its interfaces, so that may be a factor in having the host >> restart). >> >> Per http://www.freebsd.org/cgi/man.cgi?query=carp&sektion=4, if >> net.inet.carp.preempt=1 then the CARP interfaces should fail over together. >> Running "sysctl net.inet.carp" on pfSense shows net.inet.carp.preempt=1. If >> I >> reload the CARP status page on router2 quickly, I can see that the WAN and >> LAN interfaces correctly fail over so router2 is Master, however it almost >> immediately reverts so router2 is Master for WAN but router2 is Backup for >> LAN, and router1 is Master for LAN. >> >> How can I ensure they "fail back" together? >> >> Note that when I simply boot the host for router1, pfSense does fail over and >> back correctly! So something is making it not fail back on the network >> restart? >> >> For what it's worth we have a IPv4 and IPv6 CARP IPs for WAN, and an IPv4, an >> IPv4 alias, and IPv6 CARP IP for LAN. >> >> I found an OpenBSD (which I know is different OS, but...) FAQ page on CARP >> that says "By default all carp(4) interfaces are added to the carp group." >> However if I run "ifconfig -v" on pfSense no groups are listed for em0 and >> em1, >> only lo0, enc0, and ovpns1. I created a pfSense interface group "carpgroup" >> for >> LAN and WAN, but had the same symptoms. > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] CARP failover works but it only fails back the LAN
I am not sure this is related but it is weird/bad...I got around to setting the skew back to 0 for all CARP IPs on router1. pfSense (2.2.1) syncs the change to router2 so those skews change from 101 to 100. However afterwards router1 shows all five as Status of Master, and router2 shows all five with a blank Status. I must edit each of the five, save (without making changes) and only once changes are Applied the Status shows as Backup. That sounds like a configuration sync bug? I did see this when setting the skew from 0 to 1 earlier today and passed it off as I was clicking around a lot, but it seems to be repeatable. -- Steve Steve Yates wrote on Mon, Mar 23 2015 at 2:50 pm: > Just ran into an odd scenario in my testbed...if pfSense (router1) is in a VM > (Parallels Cloud/Virtuozzo), and I run "service network restart" on the host > for > that VM, pfSense fails over the WAN interface but does not fail over the LAN > interface. At that point external communication is lost because one router is > handling LAN and one WAN. It does not seem to recover afterwards until the > host is restarted (we're also using VLANs on the host level for the pfSense VM > to use for its interfaces, so that may be a factor in having the host > restart). > > Per http://www.freebsd.org/cgi/man.cgi?query=carp&sektion=4, if > net.inet.carp.preempt=1 then the CARP interfaces should fail over together. > Running "sysctl net.inet.carp" on pfSense shows net.inet.carp.preempt=1. If I > reload the CARP status page on router2 quickly, I can see that the WAN and > LAN interfaces correctly fail over so router2 is Master, however it almost > immediately reverts so router2 is Master for WAN but router2 is Backup for > LAN, and router1 is Master for LAN. > > How can I ensure they "fail back" together? > > Note that when I simply boot the host for router1, pfSense does fail over and > back correctly! So something is making it not fail back on the network > restart? > > For what it's worth we have a IPv4 and IPv6 CARP IPs for WAN, and an IPv4, an > IPv4 alias, and IPv6 CARP IP for LAN. > > I found an OpenBSD (which I know is different OS, but...) FAQ page on CARP > that says "By default all carp(4) interfaces are added to the carp group." > However if I run "ifconfig -v" on pfSense no groups are listed for em0 and > em1, > only lo0, enc0, and ovpns1. I created a pfSense interface group "carpgroup" > for > LAN and WAN, but had the same symptoms. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] CARP failover works but it only fails back the LAN
ED Fochler wrote on Mon, Mar 23 2015 at 2:58 pm: > Is your skew set to 0 on your primary router’s CARP interfaces? I tried it set to Base=1, Skew=0 (original setup), and Base=1, Skew=1. Same behavior. (the CARP setting sync actually adjusts the backup's skew from 100 to 101). -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] CARP failover works but it only fails back the LAN
Is your skew set to 0 on your primary router’s CARP interfaces? ED. > On 2015, Mar 23, at 3:50 PM, Steve Yates wrote: > > Just ran into an odd scenario in my testbed...if pfSense (router1) is in a VM > (Parallels Cloud/Virtuozzo), and I run "service network restart" on the host > for that VM, pfSense fails over the WAN interface but does not fail over the > LAN interface. At that point external communication is lost because one > router is handling LAN and one WAN. It does not seem to recover afterwards > until the host is restarted (we're also using VLANs on the host level for the > pfSense VM to use for its interfaces, so that may be a factor in having the > host restart). > > Per http://www.freebsd.org/cgi/man.cgi?query=carp&sektion=4, if > net.inet.carp.preempt=1 then the CARP interfaces should fail over together. > Running "sysctl net.inet.carp" on pfSense shows net.inet.carp.preempt=1. If > I reload the CARP status page on router2 quickly, I can see that the WAN and > LAN interfaces correctly fail over so router2 is Master, however it almost > immediately reverts so router2 is Master for WAN but router2 is Backup for > LAN, and router1 is Master for LAN. > > How can I ensure they "fail back" together? > > Note that when I simply boot the host for router1, pfSense does fail over and > back correctly! So something is making it not fail back on the network > restart? > > For what it's worth we have a IPv4 and IPv6 CARP IPs for WAN, and an IPv4, an > IPv4 alias, and IPv6 CARP IP for LAN. > > I found an OpenBSD (which I know is different OS, but...) FAQ page on CARP > that says "By default all carp(4) interfaces are added to the carp group." > However if I run "ifconfig -v" on pfSense no groups are listed for em0 and > em1, only lo0, enc0, and ovpns1. I created a pfSense interface group > "carpgroup" for LAN and WAN, but had the same symptoms. > > Thanks, > -- > > Steve Yates > ITS, Inc. > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] CARP failover works but it only fails back the LAN
Just ran into an odd scenario in my testbed...if pfSense (router1) is in a VM (Parallels Cloud/Virtuozzo), and I run "service network restart" on the host for that VM, pfSense fails over the WAN interface but does not fail over the LAN interface. At that point external communication is lost because one router is handling LAN and one WAN. It does not seem to recover afterwards until the host is restarted (we're also using VLANs on the host level for the pfSense VM to use for its interfaces, so that may be a factor in having the host restart). Per http://www.freebsd.org/cgi/man.cgi?query=carp&sektion=4, if net.inet.carp.preempt=1 then the CARP interfaces should fail over together. Running "sysctl net.inet.carp" on pfSense shows net.inet.carp.preempt=1. If I reload the CARP status page on router2 quickly, I can see that the WAN and LAN interfaces correctly fail over so router2 is Master, however it almost immediately reverts so router2 is Master for WAN but router2 is Backup for LAN, and router1 is Master for LAN. How can I ensure they "fail back" together? Note that when I simply boot the host for router1, pfSense does fail over and back correctly! So something is making it not fail back on the network restart? For what it's worth we have a IPv4 and IPv6 CARP IPs for WAN, and an IPv4, an IPv4 alias, and IPv6 CARP IP for LAN. I found an OpenBSD (which I know is different OS, but...) FAQ page on CARP that says "By default all carp(4) interfaces are added to the carp group." However if I run "ifconfig -v" on pfSense no groups are listed for em0 and em1, only lo0, enc0, and ovpns1. I created a pfSense interface group "carpgroup" for LAN and WAN, but had the same symptoms. Thanks, -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
