Enabling CARP instead of default VIP stops the pfb_dnsbl service from starting (HA setup)
-
Anyone managed to verify this behavior? Can't get the service running in CARP mode as both interfaces are /32 and both are active.
-
@Luke_71
i've HA setup and it is working as expected.
See my DNSBL settings below.master:
DNSBL VIP Type: CARP
VHID group: 255
Advertising Base: 1
Skew: 0
Web Server Interface: LANbackup:
DNSBL VIP Type: CARP
VHID group: 255
Advertising Base: 1
Skew: 100
Web Server Interface: LAN -
@juliokele strange as I have the same exact settings (well a different vhid) bit the dnsbl servixe then fails to start (it has a /32 address). It works if I set it to default VIP mode. Can you verify that the service (from services option) is really running? The DNSBL will appear green but ther service is red.
-
@Luke_71
yes, the service is really running... -
@juliokele can you confirm your carp subnet being a /32 and the status of those pfb carp interfaces on master and backup (and you're running 2.7.0)?
-
@Luke_71
it is /32 on booth (pfB DNSBL - DO NOT EDIT)
i have pfSense 23.05.1, maybe that's why it works... -
Is your pfBlocker XMLRPC sync working on the master?
Do you see this in the update log (redacted)?===[ XMLRPC Sync ]=================================================== Sync with [ https://ipaddress:port ] ... done.if not, try this:
https://forum.netgate.com/post/1108304 -
@juliokele That must be it, no reference to any XMLRPC SYNC in the log anymore - it's just gone. I will dig deeper and see if I need to apply that patch you referenced - thanks!
-
This post is deleted! -
@juliokele I checked and my pfblocker.inc has that typo - apparently due to previous patches (I had a redmine "0 skew" patch issued on the 2nd CARP NIC which would crash everything) it was not updated. With the typo fixed all syncs:
===[ XMLRPC Sync ]===================================================
Sync with [ https://x.x.x.x:8443 ] ... done.However I still have the CARP malfunction (apparently that was a seperate issue) and the service does not start on the master. Here's what my CARP iface looks like:
Master/Primary:
The primary CARP is missing the status, and I can only get it back if I just edit the settings and without changing anything simply press OK, then it will become MASTER as it should. However as soon as an update is triggered (every hour) it goes blank again (or I edit the DNSBL page ad press save) and the service dies so something must be up with the CARP configuration initiated from pfblocker or something related but not my CARP setup as as I stated if I manually edit and press OK it will recover and all my other CARP interfaces are working fine with no VHID conflicts. This just appeared after the upgrade to 2.7.0. Very puzzling.
-
@juliokele I'd also like to point out that when using a CARP config one shouldn't be using a /32 (if it's a CARP IP, it should be anything other than /32 for obivous reasons) so for correctness I believe this should be at least a /30 or something in that ballpark to fit in with the specifications. In any case this doesn't explain why on my setup my primary CARP doesn't "go live" and stays GREY while if I enter the settings and simply press save it does, until the next update.
-
Believe it or not, I simply rebooted the first pfSense machine (the one that manifested the "not active" pfBlocker CARP VIP after every hourly or manual forced pfB update) and lo and behold, now it actually works. The all time classic IT Crowd quote from Gary "Have you tried turning it off and on again" worked once again! I am baffled.