Just Confirmation.
I did the work around and the LAGG setup is working as intended.

There's already a patch for this in 2.2.3.

I have had a similar issue, seemingly out of nowhere, with my master that was running 2.2 and my slave at 2.2.2 for a couple weeks (until Sunday afternoon).  Master affected with very slow performance, both throughput and it's own web interface.  I do not use any limiters, but I do use BGP.  I will also downgrade to 2.1.5.

Figured out my issue.

port security was enabled and set to restrict on the switchport that the LAN interfaces were connected to and I could see in the switch logs that it was getting tripped.

Disabled port security now all is well.

Hello,

Did you find something ?

I have a similar configuration and have same troubles. It's quite temporary on my side but sometimes the ping between two systems in two different vlans can go from 0.200ms to 5/15 ms without any reason.

Thank you

Change the port on both primary and secondary.  That setting isn't synced.

thank you jimp
I already switch to new 2.2.2 with this patch
I made a short test but when I switch back to master, bgp remains in ACTIVE for 2 sessions from a total of 4
I wil make more tests on this weekend

P.S: attached my old 2.0.2 uptime  8)


We've seen that before but not lately. What version of pfSense is on both units?
And do you have Captive Portal + voucher sync enabled on that cluster?

@jme: That is what i did too.

@Jimp: i didn't verified, i'll check this next time and give you the log related to this action

Sorry, you've hit the limit of my knowledge on this subject.  Yes, I believe that the shared WAN IP is a Virtual IP.

IP alias is fine. Some modems aren't happy with just proxy ARP, which sounds like the case for you.

Hello Dotdash,

Thanks for your reply. My diagram was not complete, I already had the VIP setup for all interfaces.

It's working since this morning. I'm not exactly sure what was wrong. I've setup the DHCP servers as I've already done a few times without success, but this time it worked. I let a few days go by before making my final attempt. I red the chapter about configuring CARP (especially the DHCP part) before proceeding. Maybe I needed the break.

Anyway, this issue is solved. Thanks !

Viragomann put me on the right track, though there was a catch.  The original problem was that I wanted to perform CARP firewall rules synchronization between a master and a backup, but the backup had an extra interface (a wireless access point) the master didn't have.  Consequently, the rules for the extra interface were been deleted whenever the rules synchronized.  Viragomann suggested creating a dummy interface on the master for a non-existent VLAN, giving it the same name as the wireless interface on the backup firewall, and putting the rules there.  The basic idea was good, but with a problem.

The problem comes in the way that the interfaces are named.  When I created the dummy VLAN on the master, pfSense named it "OPT5".  I then renamed it to "wireless" to match the interface name on the backup.  It seems that renaming OPT5 to "wireless" is a cosmetic change only.  Internally pfSense still calls it "OPT5", and all the rules are associated with "OPT5".  When CARP performs the firewall synchronization, it copied all those wireless rules to the backup firewalls "OPT5", which was some other VLAN.  On the backup, pfSense knows the wireless interface as "OPT4".  I had to delete everything on the master firewall associated with OPT4 and above, and recreate them in the right order so that their internal "OPT" names aligned with the ones on the backup firewall.  Once I did that, synchronization worked great.

Thanks, Viragomann, for putting me on the right path.

I appreciate the honesty and I totally see your point.

To switch from CARP back to a stand-alone unit you can remove the sync settings from System > High Avail Sync and from the DHCP server tabs. CARP VIPs and NAT can be left as-is.

Yes.  The description field doesn't seem to like transferring over some special characters.  It's annoying but I've been avoiding characters that appear to disappear.

Dino

Gentle bump to see if anyone knows anything about this these days…

I saw this post, which I think could be relevant:
https://forums.freebsd.org/threads/tftpd-and-interface-alias-issue.37695/

It looks like that by modifying inetd I should be able to achieve what I want, but not sure what needs changing.

Assuming they are on the same subnet, what happens when you simply setup High Availability Sync without setting up CARP?

@rcpao:

/sbin/ifconfig from the shell shows which NIC a VIP is associated along with with via the VIP's netmask, broadcast, and vhid, but not the VIP's MAC Address.

CARP MAC addresses are generated algorithmically and follow the scheme for VRRP.  See this: https://tools.ietf.org/html/rfc3768#section-7.3 for details.

Run a packet capture on the interface with the CARP IPs and watch some traffic.  You should see those MAC addresses in the frames.

Cheers
Jon

Hi,

I have been struggling with the same problem recently in a similar setup, and I also have found the mentioned MAC learning filter VIB, but I wanted to ask few questions before I go for it.

It is not clear to me, that after I install the VIB, on which vm network ports should I enable the dvfilter? I suppose those VM-ports have to be filter enabled which are connected to a port group with promiscuous mode enabled, right? Another point is, that this MAC filter never forgets. Once a MAC is stored in the MAC table, it remains there for good(!?), which a little bit worries me, since if the MAC table is full, the filter would no longer be capable to prevent the packet flood. But on the other side, I personally do not know how many MACs can be stored for a given port in the MAC table.

Do you happen to have any experience with that, or a workaround whether the MAC table can be emptied somehow manually once it gets full?

Thanks,
Leva