Enabling CARP instead of default VIP stops the pfb_dnsbl service from starting (HA setup)
-
I recently updated to pfSense 2.7.0 and it autmatically updated the pfBlockerNG Devel. I am running an HA setup and so I enable CARP mode in the pfB DNSBL config, setting the listen on interface as LAN and not localhost. This automatically creates a CARP VIP type interface but gives it a /32 address so both CARP interfaces result active on both nodes at the same time (!). I got around this by manually setting the CARP subnet of the pfB IP to /29 on the master and that corrects the issue and both pfb_dnsbl services start on both nodes (and the backup node CARP is correctly in backup). However after any config update it gets set back to /32 and the service fails to start unless the above workaround is done. Has anyone else noticed this? Is this a bug or was there some change between versions in HA/CARP mode?
-
Anyone managed to verify this behavior? Can't get the service running in CARP mode as both interfaces are /32 and both are active.
-
@Luke_71
i've HA setup and it is working as expected.
See my DNSBL settings below.master:
DNSBL VIP Type: CARP
VHID group: 255
Advertising Base: 1
Skew: 0
Web Server Interface: LANbackup:
DNSBL VIP Type: CARP
VHID group: 255
Advertising Base: 1
Skew: 100
Web Server Interface: LAN -
@juliokele strange as I have the same exact settings (well a different vhid) bit the dnsbl servixe then fails to start (it has a /32 address). It works if I set it to default VIP mode. Can you verify that the service (from services option) is really running? The DNSBL will appear green but ther service is red.
-
@Luke_71
yes, the service is really running... -
@juliokele can you confirm your carp subnet being a /32 and the status of those pfb carp interfaces on master and backup (and you're running 2.7.0)?
-
@Luke_71
it is /32 on booth (pfB DNSBL - DO NOT EDIT)
i have pfSense 23.05.1, maybe that's why it works... -
Is your pfBlocker XMLRPC sync working on the master?
Do you see this in the update log (redacted)?===[ XMLRPC Sync ]=================================================== Sync with [ https://ipaddress:port ] ... done.if not, try this:
https://forum.netgate.com/post/1108304 -
@juliokele That must be it, no reference to any XMLRPC SYNC in the log anymore - it's just gone. I will dig deeper and see if I need to apply that patch you referenced - thanks!
-
This post is deleted! -
@juliokele I checked and my pfblocker.inc has that typo - apparently due to previous patches (I had a redmine "0 skew" patch issued on the 2nd CARP NIC which would crash everything) it was not updated. With the typo fixed all syncs:
===[ XMLRPC Sync ]===================================================
Sync with [ https://x.x.x.x:8443 ] ... done.However I still have the CARP malfunction (apparently that was a seperate issue) and the service does not start on the master. Here's what my CARP iface looks like:
Master/Primary:
The primary CARP is missing the status, and I can only get it back if I just edit the settings and without changing anything simply press OK, then it will become MASTER as it should. However as soon as an update is triggered (every hour) it goes blank again (or I edit the DNSBL page ad press save) and the service dies so something must be up with the CARP configuration initiated from pfblocker or something related but not my CARP setup as as I stated if I manually edit and press OK it will recover and all my other CARP interfaces are working fine with no VHID conflicts. This just appeared after the upgrade to 2.7.0. Very puzzling.
-
@juliokele I'd also like to point out that when using a CARP config one shouldn't be using a /32 (if it's a CARP IP, it should be anything other than /32 for obivous reasons) so for correctness I believe this should be at least a /30 or something in that ballpark to fit in with the specifications. In any case this doesn't explain why on my setup my primary CARP doesn't "go live" and stays GREY while if I enter the settings and simply press save it does, until the next update.
-
Believe it or not, I simply rebooted the first pfSense machine (the one that manifested the "not active" pfBlocker CARP VIP after every hourly or manual forced pfB update) and lo and behold, now it actually works. The all time classic IT Crowd quote from Gary "Have you tried turning it off and on again" worked once again! I am baffled.