Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/10/2011 7:58 PM, Vaughn L. Reid III wrote: On 2/10/2011 7:30 PM, Moshe Katz wrote: Is your ISP Verizon? We have had many ARP issues with Verizon FIOS. For our pfSense box to get all of our IPs, we have to manually set each of the IPs as the WAN IP (one by one), then set up the Virtual IP settings after we do that. Moshe -- Moshe Katz -- mo...@ymkatz.net mailto:mo...@ymkatz.net -- +1(301)867-3732 On Thu, Feb 10, 2011 at 7:19 PM, Vaughn L. Reid III vaughn_reid_...@elitemail.org mailto:vaughn_reid_...@elitemail.org wrote: On 2/10/2011 12:57 PM, Evgeny Yurchenko wrote: On 11-02-10 11:07 AM, Vaughn L. Reid III wrote: On 2/10/2011 10:42 AM, Vaughn L. Reid III wrote: On 2/10/2011 9:32 AM, Vaughn L. Reid III wrote: On 2/10/2011 2:43 AM, Seth Mos wrote: Op 10-2-2011 4:18, Vaughn L. Reid III schreef: 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). Yes, some switch support multicast filtering, I know from experience with HP switches that it works with the setting on. So I know they have it implemented correctly. This way not all switch ports get the carp traffic unless they participate in the multicast group. This cuts down on broadcast a lot. I recommend the HP switches, they have never given me any grief as long as I've worked with them. I even have a carp cluster spanning 2 building across the street over a fiber connection. It just works. If you need a managed switch on a budget I can confirm that the HP Procurve 1810-8G works well. It's web managed, supports vlans and basic traffic counters. It is also fanless. The smallest I have in use on a carp cluster is a Procurcve 2650 in combination with a 2900-48G. The biggest I have is a 8212zl. Do note that the software in the 1810 differs a lot from the other managed switches. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com mailto:support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com mailto:support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I've run a packet capture and here are the results: 1. Capture shows a bunch of VRRP announcements from the primary firewall to destination 224.0.0.18. The destination confirms this is a multicast address I believe. According to Wikipedia, VRRP and CARP share the same protocol number. So, I believe that these are CARP announcements. 2. All the VRRP requests had a vrrp.prio value of 0 with a description of Priority: 0 (Current Master has stopped participating in VRRP) 3. Over a 114 second capture, there were no VRRP announcements from the secondary firewall. 4. There were lots of ARP broadcast requests from the secondary firewall asking for who has the IP of the default gateway. There were 0 ARP requests from the primary firewall during the capture period.
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/10/2011 2:43 AM, Seth Mos wrote: Op 10-2-2011 4:18, Vaughn L. Reid III schreef: 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). Yes, some switch support multicast filtering, I know from experience with HP switches that it works with the setting on. So I know they have it implemented correctly. This way not all switch ports get the carp traffic unless they participate in the multicast group. This cuts down on broadcast a lot. I recommend the HP switches, they have never given me any grief as long as I've worked with them. I even have a carp cluster spanning 2 building across the street over a fiber connection. It just works. If you need a managed switch on a budget I can confirm that the HP Procurve 1810-8G works well. It's web managed, supports vlans and basic traffic counters. It is also fanless. The smallest I have in use on a carp cluster is a Procurcve 2650 in combination with a 2900-48G. The biggest I have is a 8212zl. Do note that the software in the 1810 differs a lot from the other managed switches. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I've run a packet capture and here are the results: 1. Capture shows a bunch of VRRP announcements from the primary firewall to destination 224.0.0.18. The destination confirms this is a multicast address I believe. According to Wikipedia, VRRP and CARP share the same protocol number. So, I believe that these are CARP announcements. 2. All the VRRP requests had a vrrp.prio value of 0 with a description of Priority: 0 (Current Master has stopped participating in VRRP) 3. Over a 114 second capture, there were no VRRP announcements from the secondary firewall. 4. There were lots of ARP broadcast requests from the secondary firewall asking for who has the IP of the default gateway. There were 0 ARP requests from the primary firewall during the capture period. 5. There were lots of ICMP pings from both the primary and secondary Pfsense firewalls to the default gateway on this WAN interface. I assume this is from the Load Balance Fail-Over configuration I have enabled for the cluster on this interface. I confirmed that the Master firewall shows itself as Master for all interfaces. I confirmed that the Secondary firewall shows itself as Backup for all interfaces. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/10/2011 9:32 AM, Vaughn L. Reid III wrote: On 2/10/2011 2:43 AM, Seth Mos wrote: Op 10-2-2011 4:18, Vaughn L. Reid III schreef: 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). Yes, some switch support multicast filtering, I know from experience with HP switches that it works with the setting on. So I know they have it implemented correctly. This way not all switch ports get the carp traffic unless they participate in the multicast group. This cuts down on broadcast a lot. I recommend the HP switches, they have never given me any grief as long as I've worked with them. I even have a carp cluster spanning 2 building across the street over a fiber connection. It just works. If you need a managed switch on a budget I can confirm that the HP Procurve 1810-8G works well. It's web managed, supports vlans and basic traffic counters. It is also fanless. The smallest I have in use on a carp cluster is a Procurcve 2650 in combination with a 2900-48G. The biggest I have is a 8212zl. Do note that the software in the 1810 differs a lot from the other managed switches. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I've run a packet capture and here are the results: 1. Capture shows a bunch of VRRP announcements from the primary firewall to destination 224.0.0.18. The destination confirms this is a multicast address I believe. According to Wikipedia, VRRP and CARP share the same protocol number. So, I believe that these are CARP announcements. 2. All the VRRP requests had a vrrp.prio value of 0 with a description of Priority: 0 (Current Master has stopped participating in VRRP) 3. Over a 114 second capture, there were no VRRP announcements from the secondary firewall. 4. There were lots of ARP broadcast requests from the secondary firewall asking for who has the IP of the default gateway. There were 0 ARP requests from the primary firewall during the capture period. 5. There were lots of ICMP pings from both the primary and secondary Pfsense firewalls to the default gateway on this WAN interface. I assume this is from the Load Balance Fail-Over configuration I have enabled for the cluster on this interface. I confirmed that the Master firewall shows itself as Master for all interfaces. I confirmed that the Secondary firewall shows itself as Backup for all interfaces. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I performed a second capture of 3 minutes on malfunctioning WAN and noted identical results for the VRRP/CARP packets. On the second capture, however, I did see ARP requests from both firewalls asking for the MAC of the IP of the Default Gateway -- this was different from my item number 4 in the previous post. I also performed a 3 minute packet capture from one of the known working WAN connections on the cluster. The VRRP packets on that connection showed an origination address of the Real IP on primary/Master firewall and a multi-cast destination, just like the results from the problem WAN connection. I also noted that the vrrp.prio value and description was the same on the working WAN as on the not-working WAN. Both the working WAN connection packet capture and the non-Working WAN packet captures show IGMP packets noting the entering and leaving of multi-cast groups. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/10/2011 10:42 AM, Vaughn L. Reid III wrote: On 2/10/2011 9:32 AM, Vaughn L. Reid III wrote: On 2/10/2011 2:43 AM, Seth Mos wrote: Op 10-2-2011 4:18, Vaughn L. Reid III schreef: 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). Yes, some switch support multicast filtering, I know from experience with HP switches that it works with the setting on. So I know they have it implemented correctly. This way not all switch ports get the carp traffic unless they participate in the multicast group. This cuts down on broadcast a lot. I recommend the HP switches, they have never given me any grief as long as I've worked with them. I even have a carp cluster spanning 2 building across the street over a fiber connection. It just works. If you need a managed switch on a budget I can confirm that the HP Procurve 1810-8G works well. It's web managed, supports vlans and basic traffic counters. It is also fanless. The smallest I have in use on a carp cluster is a Procurcve 2650 in combination with a 2900-48G. The biggest I have is a 8212zl. Do note that the software in the 1810 differs a lot from the other managed switches. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I've run a packet capture and here are the results: 1. Capture shows a bunch of VRRP announcements from the primary firewall to destination 224.0.0.18. The destination confirms this is a multicast address I believe. According to Wikipedia, VRRP and CARP share the same protocol number. So, I believe that these are CARP announcements. 2. All the VRRP requests had a vrrp.prio value of 0 with a description of Priority: 0 (Current Master has stopped participating in VRRP) 3. Over a 114 second capture, there were no VRRP announcements from the secondary firewall. 4. There were lots of ARP broadcast requests from the secondary firewall asking for who has the IP of the default gateway. There were 0 ARP requests from the primary firewall during the capture period. 5. There were lots of ICMP pings from both the primary and secondary Pfsense firewalls to the default gateway on this WAN interface. I assume this is from the Load Balance Fail-Over configuration I have enabled for the cluster on this interface. I confirmed that the Master firewall shows itself as Master for all interfaces. I confirmed that the Secondary firewall shows itself as Backup for all interfaces. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I performed a second capture of 3 minutes on malfunctioning WAN and noted identical results for the VRRP/CARP packets. On the second capture, however, I did see ARP requests from both firewalls asking for the MAC of the IP of the Default Gateway -- this was different from my item number 4 in the previous post. I also performed a 3 minute packet capture from one of the known working WAN connections on the cluster. The VRRP packets on that connection showed an origination address of the Real IP on primary/Master firewall and a multi-cast destination, just like the results from the problem WAN connection. I also noted that the vrrp.prio value and description was the same on the working WAN as on the not-working WAN. Both the working WAN connection packet capture and the non-Working WAN packet captures show IGMP packets noting the entering and leaving of multi-cast groups. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org One more thing. If I unplug the connection that leads to the ISP's black box from the switch and leave everything else in place, pings from the secondary/backup firewall to the CARP start working as expected. I'm not sure I understand this behavior. With 2 IP addresses on the same subnet that can communicate with each other on the same VLAN of a switch, it seems to me that it shouldn't matter what else I plug into that switch (as long as it has a different IP and as long as it is not doing some
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 11-02-10 11:07 AM, Vaughn L. Reid III wrote: On 2/10/2011 10:42 AM, Vaughn L. Reid III wrote: On 2/10/2011 9:32 AM, Vaughn L. Reid III wrote: On 2/10/2011 2:43 AM, Seth Mos wrote: Op 10-2-2011 4:18, Vaughn L. Reid III schreef: 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). Yes, some switch support multicast filtering, I know from experience with HP switches that it works with the setting on. So I know they have it implemented correctly. This way not all switch ports get the carp traffic unless they participate in the multicast group. This cuts down on broadcast a lot. I recommend the HP switches, they have never given me any grief as long as I've worked with them. I even have a carp cluster spanning 2 building across the street over a fiber connection. It just works. If you need a managed switch on a budget I can confirm that the HP Procurve 1810-8G works well. It's web managed, supports vlans and basic traffic counters. It is also fanless. The smallest I have in use on a carp cluster is a Procurcve 2650 in combination with a 2900-48G. The biggest I have is a 8212zl. Do note that the software in the 1810 differs a lot from the other managed switches. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I've run a packet capture and here are the results: 1. Capture shows a bunch of VRRP announcements from the primary firewall to destination 224.0.0.18. The destination confirms this is a multicast address I believe. According to Wikipedia, VRRP and CARP share the same protocol number. So, I believe that these are CARP announcements. 2. All the VRRP requests had a vrrp.prio value of 0 with a description of Priority: 0 (Current Master has stopped participating in VRRP) 3. Over a 114 second capture, there were no VRRP announcements from the secondary firewall. 4. There were lots of ARP broadcast requests from the secondary firewall asking for who has the IP of the default gateway. There were 0 ARP requests from the primary firewall during the capture period. 5. There were lots of ICMP pings from both the primary and secondary Pfsense firewalls to the default gateway on this WAN interface. I assume this is from the Load Balance Fail-Over configuration I have enabled for the cluster on this interface. I confirmed that the Master firewall shows itself as Master for all interfaces. I confirmed that the Secondary firewall shows itself as Backup for all interfaces. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I performed a second capture of 3 minutes on malfunctioning WAN and noted identical results for the VRRP/CARP packets. On the second capture, however, I did see ARP requests from both firewalls asking for the MAC of the IP of the Default Gateway -- this was different from my item number 4 in the previous post. I also performed a 3 minute packet capture from one of the known working WAN connections on the cluster. The VRRP packets on that connection showed an origination address of the Real IP on primary/Master firewall and a multi-cast destination, just like the results from the problem WAN connection. I also noted that the vrrp.prio value and description was the same on the working WAN as on the not-working WAN. Both the working WAN connection packet capture and the non-Working WAN packet captures show IGMP packets noting the entering and leaving of multi-cast groups. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org One more thing. If I unplug the connection that leads to the ISP's black box from the switch and leave everything else in place, pings from the secondary/backup firewall to the CARP start working as expected. I'm not sure I understand this behavior. With 2 IP addresses on the same subnet that can communicate with each other on the same VLAN of a switch, it seems to me that it shouldn't matter what else I plug into that switch (as long as it has a different IP and as long as
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/10/2011 12:57 PM, Evgeny Yurchenko wrote: On 11-02-10 11:07 AM, Vaughn L. Reid III wrote: On 2/10/2011 10:42 AM, Vaughn L. Reid III wrote: On 2/10/2011 9:32 AM, Vaughn L. Reid III wrote: On 2/10/2011 2:43 AM, Seth Mos wrote: Op 10-2-2011 4:18, Vaughn L. Reid III schreef: 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). Yes, some switch support multicast filtering, I know from experience with HP switches that it works with the setting on. So I know they have it implemented correctly. This way not all switch ports get the carp traffic unless they participate in the multicast group. This cuts down on broadcast a lot. I recommend the HP switches, they have never given me any grief as long as I've worked with them. I even have a carp cluster spanning 2 building across the street over a fiber connection. It just works. If you need a managed switch on a budget I can confirm that the HP Procurve 1810-8G works well. It's web managed, supports vlans and basic traffic counters. It is also fanless. The smallest I have in use on a carp cluster is a Procurcve 2650 in combination with a 2900-48G. The biggest I have is a 8212zl. Do note that the software in the 1810 differs a lot from the other managed switches. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I've run a packet capture and here are the results: 1. Capture shows a bunch of VRRP announcements from the primary firewall to destination 224.0.0.18. The destination confirms this is a multicast address I believe. According to Wikipedia, VRRP and CARP share the same protocol number. So, I believe that these are CARP announcements. 2. All the VRRP requests had a vrrp.prio value of 0 with a description of Priority: 0 (Current Master has stopped participating in VRRP) 3. Over a 114 second capture, there were no VRRP announcements from the secondary firewall. 4. There were lots of ARP broadcast requests from the secondary firewall asking for who has the IP of the default gateway. There were 0 ARP requests from the primary firewall during the capture period. 5. There were lots of ICMP pings from both the primary and secondary Pfsense firewalls to the default gateway on this WAN interface. I assume this is from the Load Balance Fail-Over configuration I have enabled for the cluster on this interface. I confirmed that the Master firewall shows itself as Master for all interfaces. I confirmed that the Secondary firewall shows itself as Backup for all interfaces. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I performed a second capture of 3 minutes on malfunctioning WAN and noted identical results for the VRRP/CARP packets. On the second capture, however, I did see ARP requests from both firewalls asking for the MAC of the IP of the Default Gateway -- this was different from my item number 4 in the previous post. I also performed a 3 minute packet capture from one of the known working WAN connections on the cluster. The VRRP packets on that connection showed an origination address of the Real IP on primary/Master firewall and a multi-cast destination, just like the results from the problem WAN connection. I also noted that the vrrp.prio value and description was the same on the working WAN as on the not-working WAN. Both the working WAN connection packet capture and the non-Working WAN packet captures show IGMP packets noting the entering and leaving of multi-cast groups. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org One more thing. If I unplug the connection that leads to the ISP's black box from the switch and leave everything else in place, pings from the secondary/backup firewall to the CARP start working as expected. I'm not sure I understand this behavior. With 2 IP addresses on the same subnet that can communicate with each other on the same VLAN of a switch, it seems to me that it shouldn't matter what
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
Is your ISP Verizon? We have had many ARP issues with Verizon FIOS. For our pfSense box to get all of our IPs, we have to manually set each of the IPs as the WAN IP (one by one), then set up the Virtual IP settings after we do that. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Thu, Feb 10, 2011 at 7:19 PM, Vaughn L. Reid III vaughn_reid_...@elitemail.org wrote: On 2/10/2011 12:57 PM, Evgeny Yurchenko wrote: On 11-02-10 11:07 AM, Vaughn L. Reid III wrote: On 2/10/2011 10:42 AM, Vaughn L. Reid III wrote: On 2/10/2011 9:32 AM, Vaughn L. Reid III wrote: On 2/10/2011 2:43 AM, Seth Mos wrote: Op 10-2-2011 4:18, Vaughn L. Reid III schreef: 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). Yes, some switch support multicast filtering, I know from experience with HP switches that it works with the setting on. So I know they have it implemented correctly. This way not all switch ports get the carp traffic unless they participate in the multicast group. This cuts down on broadcast a lot. I recommend the HP switches, they have never given me any grief as long as I've worked with them. I even have a carp cluster spanning 2 building across the street over a fiber connection. It just works. If you need a managed switch on a budget I can confirm that the HP Procurve 1810-8G works well. It's web managed, supports vlans and basic traffic counters. It is also fanless. The smallest I have in use on a carp cluster is a Procurcve 2650 in combination with a 2900-48G. The biggest I have is a 8212zl. Do note that the software in the 1810 differs a lot from the other managed switches. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I've run a packet capture and here are the results: 1. Capture shows a bunch of VRRP announcements from the primary firewall to destination 224.0.0.18. The destination confirms this is a multicast address I believe. According to Wikipedia, VRRP and CARP share the same protocol number. So, I believe that these are CARP announcements. 2. All the VRRP requests had a vrrp.prio value of 0 with a description of Priority: 0 (Current Master has stopped participating in VRRP) 3. Over a 114 second capture, there were no VRRP announcements from the secondary firewall. 4. There were lots of ARP broadcast requests from the secondary firewall asking for who has the IP of the default gateway. There were 0 ARP requests from the primary firewall during the capture period. 5. There were lots of ICMP pings from both the primary and secondary Pfsense firewalls to the default gateway on this WAN interface. I assume this is from the Load Balance Fail-Over configuration I have enabled for the cluster on this interface. I confirmed that the Master firewall shows itself as Master for all interfaces. I confirmed that the Secondary firewall shows itself as Backup for all interfaces. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I performed a second capture of 3 minutes on malfunctioning WAN and noted identical results for the VRRP/CARP packets. On the second capture, however, I did see ARP requests from both firewalls asking for the MAC of the IP of the Default Gateway -- this was different from my item number 4 in the previous post. I also performed a 3 minute packet capture from one of the known working WAN connections on the cluster. The VRRP packets on that connection showed an origination address of the Real IP on primary/Master firewall and a multi-cast destination, just like the results from the problem WAN connection. I also noted that the vrrp.prio value and description was the same on the working WAN as on the not-working WAN. Both the working WAN connection packet capture and the non-Working WAN packet captures show IGMP packets noting the entering and leaving of multi-cast groups. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/10/2011 7:30 PM, Moshe Katz wrote: Is your ISP Verizon? We have had many ARP issues with Verizon FIOS. For our pfSense box to get all of our IPs, we have to manually set each of the IPs as the WAN IP (one by one), then set up the Virtual IP settings after we do that. Moshe -- Moshe Katz -- mo...@ymkatz.net mailto:mo...@ymkatz.net -- +1(301)867-3732 On Thu, Feb 10, 2011 at 7:19 PM, Vaughn L. Reid III vaughn_reid_...@elitemail.org mailto:vaughn_reid_...@elitemail.org wrote: On 2/10/2011 12:57 PM, Evgeny Yurchenko wrote: On 11-02-10 11:07 AM, Vaughn L. Reid III wrote: On 2/10/2011 10:42 AM, Vaughn L. Reid III wrote: On 2/10/2011 9:32 AM, Vaughn L. Reid III wrote: On 2/10/2011 2:43 AM, Seth Mos wrote: Op 10-2-2011 4:18, Vaughn L. Reid III schreef: 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). Yes, some switch support multicast filtering, I know from experience with HP switches that it works with the setting on. So I know they have it implemented correctly. This way not all switch ports get the carp traffic unless they participate in the multicast group. This cuts down on broadcast a lot. I recommend the HP switches, they have never given me any grief as long as I've worked with them. I even have a carp cluster spanning 2 building across the street over a fiber connection. It just works. If you need a managed switch on a budget I can confirm that the HP Procurve 1810-8G works well. It's web managed, supports vlans and basic traffic counters. It is also fanless. The smallest I have in use on a carp cluster is a Procurcve 2650 in combination with a 2900-48G. The biggest I have is a 8212zl. Do note that the software in the 1810 differs a lot from the other managed switches. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com mailto:support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com mailto:support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I've run a packet capture and here are the results: 1. Capture shows a bunch of VRRP announcements from the primary firewall to destination 224.0.0.18. The destination confirms this is a multicast address I believe. According to Wikipedia, VRRP and CARP share the same protocol number. So, I believe that these are CARP announcements. 2. All the VRRP requests had a vrrp.prio value of 0 with a description of Priority: 0 (Current Master has stopped participating in VRRP) 3. Over a 114 second capture, there were no VRRP announcements from the secondary firewall. 4. There were lots of ARP broadcast requests from the secondary firewall asking for who has the IP of the default gateway. There were 0 ARP requests from the primary firewall during the capture period. 5. There were lots of ICMP pings from both the
[pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
I've got a PfSense version 1.2.3 cluster at a Public Library customer connected to 6 WAN links. The first 5 are connected as VLANS through a TP-Link SL3428 switch then to an ISP provided Router (4 ATT ADSL links each with a Netopia ADSL router and a Fiber Link with a Cisco 2800 series router). These 5 WAN links are all configured identically (except for IP, etc.) and have worked beautifully for 2 or 3 years). The first 5 WAN's all go out the same Intel server interface. The 6th connection goes out a second Intel server interface (There are 6 physical Intel server gigabit interfaces on the machines all together -- 4 onboard plus 1 dual port PCI-X card). Illustration: WAN Connections 1 through 5 Pfsense Cluster --- VLAN Trunk --- TP-Link Managed Switch --- Switch Ports out to each Provider on a different VLAN's (port to provider in access mode not tagged) --- Provider's Router -- Internet Everything Works!!! WAN Connection 6 Pfsense cluster -- VLAN Trunk -- D-Link Managed Switch -- Switch Port out to the Provider (port to provider in access mode not tagged) Provider's On-Site Black Box/Fiber Converter (can't get any details about what's in it) -- Nothing!!! The Library has recently decided to replace the ADSL links with a fiber-to-your door Internet connection. For redundancy, I've set this up to run through a D-Link DGS 3200-10 managed switch. I this connection configured identically to the other 5 working connections except ISP specific things like netmask and IP address. I cannot, for the life of me, get this 6th connection to work correctly. I've been doing some troubleshooting for bit now and have noticed some items that might be helpful on this 6th WAN connection. Address Learning enabled on the Switch (default setting): 1. If I leave MAC address learning on on the D-Link switch, the Carp Master can ping its real IP address, can ping its CARP IP address, and can ping the fail-over PfSense 2. The fail-over Pfsense server can ping its own real IP, can ping the Carp Master's real IP, but cannot ping the CARP IP. 3. When I first boot the switch, I can usually ping the CARP IP from the fail-over box 1 time before pings start timing out. 4. From a remote location, I am able to ping the real IP of both boxes, but I cannot ping the CARP IP. 5. Both boxes can ping the ISP's default gateway. Address Learning disabled on the Switch: 1. Both PFSense boxes can ping each other, and both can ping the CARP IP. 2. Neither can ping the ISP's IP address. 3. From a remote location, I am unable to ping any of the boxes on the 6th ISP interface. I've tried this connection through the same switch without VLAN's enabled for this connection and still have no connectivity through this provider. If I plug in a laptop directly to the switch and use any of the 3 IP's in question, I have a good Internet connection. On the D-Link Switch, Spanning Tree is disabled. The ports containing the PFSense box links are tagged VLAN trunks with no untagged ports allowed. The port leading to the ISP is an untagged VLAN that is only a member of 1 VLAN. I know I could set this up without fussing with the VLANS, but I wanted to be consistent between the 2 switches. I believe this is a switch related issue and not a PFSense related issue directly. I am hesitant to run this connection through the other managed switch because I'm looking for redundancy. If anyone has any suggestions about where my problem may be, I'd really appreciate the help. Thanks! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
[snip] Address Learning enabled on the Switch (default setting): [snip] Can you briefly explain what 'address learning' is according to D-Link? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
According to page 15 of the reference manual address learning is: Enable or disable MAC address learning for the selected ports. When Enabled, destination and source MAC addresses are automatically listed in the forwarding table. When address learning is Disabled, MAC addresses must be manually entered into the forwarding table. This is sometimes done for reasons of security or efficiency. See the section on Forwarding/Filtering for information on entering MAC addresses into the forwarding table. The default setting is Enabled. One other thing. I need to note that I have dedicated a CARP interface on each Pfsense box connected to each over via a cross-over cable. On 2/9/2011 2:35 PM, e...@tm-k.com wrote: [snip] Address Learning enabled on the Switch (default setting): [snip] Can you briefly explain what 'address learning' is according to D-Link? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/9/11 1:12 PM, Vaughn L. Reid III wrote: According to page 15 of the reference manual address learning is: Enable or disable MAC address learning for the selected ports. When Enabled, destination and source MAC addresses are automatically listed in the forwarding table. When address learning is Disabled, MAC addresses must be manually entered into the forwarding table. This is sometimes done for reasons of security or efficiency. See the section on Forwarding/Filtering for information on entering MAC addresses into the forwarding table. The default setting is Enabled. This just means the switch dynamically learns the source MAC of each attached device. 99.999 percent of all switches on the market have dynamic MAC learning enabled. This isn't the problem. One other thing. I need to note that I have dedicated a CARP interface on each Pfsense box connected to each over via a cross-over cable. Sorry, I don't completely understand your CARP setup. I too use a crossover cable between pairs of boxes but that's for pfsync, not CARP. pfsync migrates table state between pf boxes; CARP is for redundant sharing of a virtual IP address among multiple pf boxes, and would be of little use on a network consisting of a crossover cable. IIRC CARP uses multicast addressing for its keepalive messages. You might also want to verify that the switch is configured to forward multicast. dn On 2/9/2011 2:35 PM, e...@tm-k.com wrote: [snip] Address Learning enabled on the Switch (default setting): [snip] Can you briefly explain what 'address learning' is according to D-Link? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
My understanding of forwarding also was that address learning is a normal part of switch operation. But, I find it odd that turning that off lets the fail-over box ping the CARP IP on the primary box, with address learning on, I am unable to do that. A clarification about the Carp setup -- Each PfSense server has a dedicated interface connected to each other via a crossover cable. This is the interface that is configured to send and receive pfsync and its related traffic in the carp setup page. The firewall rules for this dedicated interface on each server are to allow all traffic on the interface. With a dedicated interface for the Carp related stuff to use, do the other interfaces still send and receive multi-cast pfsync traffic? On 2/9/2011 5:10 PM, David Newman wrote: On 2/9/11 1:12 PM, Vaughn L. Reid III wrote: According to page 15 of the reference manual address learning is: Enable or disable MAC address learning for the selected ports. When Enabled, destination and source MAC addresses are automatically listed in the forwarding table. When address learning is Disabled, MAC addresses must be manually entered into the forwarding table. This is sometimes done for reasons of security or efficiency. See the section on Forwarding/Filtering for information on entering MAC addresses into the forwarding table. The default setting is Enabled. This just means the switch dynamically learns the source MAC of each attached device. 99.999 percent of all switches on the market have dynamic MAC learning enabled. This isn't the problem. One other thing. I need to note that I have dedicated a CARP interface on each Pfsense box connected to each over via a cross-over cable. Sorry, I don't completely understand your CARP setup. I too use a crossover cable between pairs of boxes but that's for pfsync, not CARP. pfsync migrates table state between pf boxes; CARP is for redundant sharing of a virtual IP address among multiple pf boxes, and would be of little use on a network consisting of a crossover cable. IIRC CARP uses multicast addressing for its keepalive messages. You might also want to verify that the switch is configured to forward multicast. dn On 2/9/2011 2:35 PM, e...@tm-k.com wrote: [snip] Address Learning enabled on the Switch (default setting): [snip] Can you briefly explain what 'address learning' is according to D-Link? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/9/2011 2:35 PM, e...@tm-k.com wrote: [snip] Address Learning enabled on the Switch (default setting): [snip] Can you briefly explain what 'address learning' is according to D-Link? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org On 11-02-09 04:12 PM, Vaughn L. Reid III wrote: According to page 15 of the reference manual address learning is: Enable or disable MAC address learning for the selected ports. When Enabled, destination and source MAC addresses are automatically listed in the forwarding table. When address learning is Disabled, MAC addresses must be manually entered into the forwarding table. This is sometimes done for reasons of security or efficiency. See the section on Forwarding/Filtering for information on entering MAC addresses into the forwarding table. The default setting is Enabled. One other thing. I need to note that I have dedicated a CARP interface on each Pfsense box connected to each over via a cross-over cable. Please do not top-post. So Address Learing should be enabled. 1) do you see one box as stand-by, another one as active in web-interface? 2) connect laptop instead of ISP's cable and run packet capture you should be able to see once a second carp-heartbeat (multicast mac + carp IP in destination field). If one pfSense shows Active, another one shows Stand-by and on the laptop you see heartbeat from only one (master) pfSense then you did not mess up with carp configuration and vlans on the switch. Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On Wed, Feb 9, 2011 at 8:51 PM, Vaughn L. Reid III vaughn_reid_...@elitemail.org wrote: My understanding of forwarding also was that address learning is a normal part of switch operation. But, I find it odd that turning that off lets the fail-over box ping the CARP IP on the primary box, with address learning on, I am unable to do that. A clarification about the Carp setup -- Each PfSense server has a dedicated interface connected to each other via a crossover cable. This is the interface that is configured to send and receive pfsync and its related traffic in the carp setup page. The firewall rules for this dedicated interface on each server are to allow all traffic on the interface. With a dedicated interface for the Carp related stuff to use, do the other interfaces still send and receive multi-cast pfsync traffic? No but they send the multicast CARP traffic on all interfaces where a CARP IP resides. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/9/2011 9:20 PM, Evgeny Yurchenko wrote: On 2/9/2011 2:35 PM, e...@tm-k.com wrote: [snip] Address Learning enabled on the Switch (default setting): [snip] Can you briefly explain what 'address learning' is according to D-Link? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org On 11-02-09 04:12 PM, Vaughn L. Reid III wrote: According to page 15 of the reference manual address learning is: Enable or disable MAC address learning for the selected ports. When Enabled, destination and source MAC addresses are automatically listed in the forwarding table. When address learning is Disabled, MAC addresses must be manually entered into the forwarding table. This is sometimes done for reasons of security or efficiency. See the section on Forwarding/Filtering for information on entering MAC addresses into the forwarding table. The default setting is Enabled. One other thing. I need to note that I have dedicated a CARP interface on each Pfsense box connected to each over via a cross-over cable. Please do not top-post. So Address Learing should be enabled. 1) do you see one box as stand-by, another one as active in web-interface? 2) connect laptop instead of ISP's cable and run packet capture you should be able to see once a second carp-heartbeat (multicast mac + carp IP in destination field). If one pfSense shows Active, another one shows Stand-by and on the laptop you see heartbeat from only one (master) pfSense then you did not mess up with carp configuration and vlans on the switch. Evgeny. 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/9/2011 10:09 PM, Chris Buechler wrote: On Wed, Feb 9, 2011 at 8:51 PM, Vaughn L. Reid III vaughn_reid_...@elitemail.org wrote: My understanding of forwarding also was that address learning is a normal part of switch operation. But, I find it odd that turning that off lets the fail-over box ping the CARP IP on the primary box, with address learning on, I am unable to do that. A clarification about the Carp setup -- Each PfSense server has a dedicated interface connected to each other via a crossover cable. This is the interface that is configured to send and receive pfsync and its related traffic in the carp setup page. The firewall rules for this dedicated interface on each server are to allow all traffic on the interface. With a dedicated interface for the Carp related stuff to use, do the other interfaces still send and receive multi-cast pfsync traffic? No but they send the multicast CARP traffic on all interfaces where a CARP IP resides. Thanks for this clarification. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
Op 10-2-2011 4:18, Vaughn L. Reid III schreef: 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). Yes, some switch support multicast filtering, I know from experience with HP switches that it works with the setting on. So I know they have it implemented correctly. This way not all switch ports get the carp traffic unless they participate in the multicast group. This cuts down on broadcast a lot. I recommend the HP switches, they have never given me any grief as long as I've worked with them. I even have a carp cluster spanning 2 building across the street over a fiber connection. It just works. If you need a managed switch on a budget I can confirm that the HP Procurve 1810-8G works well. It's web managed, supports vlans and basic traffic counters. It is also fanless. The smallest I have in use on a carp cluster is a Procurcve 2650 in combination with a 2900-48G. The biggest I have is a 8212zl. Do note that the software in the 1810 differs a lot from the other managed switches. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
