Multiple VIP on multi wan troubles
-
Destroying the config sounds like a configreplication loop to me. Any chance that your machine1 syncs to IP of machine2 and machine2 syncs back to machine1? You should only have machine1 syncing config to machine2. Basically at machine2 only the first 2 settings at firewall>VIP, carp settings should be configured (synchronize enabled, synchronize interface) unless there is a third machine that you want to daisy chain the configuration to (machine1->machine2->machine3…).
Please check this setting and retest. I have some locations running CARP with 4 and more public IPs without issues. -
Upgraded to Beta 4 with cvs_sync.sh releng_1
Added VIP's as proxyarp and all seems stable and working
Just a note that when I tried to add carp using beta 4 I get the following error:
Fatal error: Call to undefined function: return_first_three_octets() in /usr/local/www/firewall_virtual_ip_edit.php on line 117
Thanks.
-
This is now fixed, thanks.
-
Worked okay for a few hours - added another carp VIP and then the same error - auto reboot with missing xml config. For now I dont have time to work out what is wrong and will revisit pfsense with later release. Thanks and its a pity as pfsense promises alot.
-
Did you actually read my hint about a possible configsync loop? What geekgod meant in his answer above was meant concerning the error when adding a carp vip.
-
Worked okay for a few hours - added another carp VIP and then the same error - auto reboot with missing xml config. For now I dont have time to work out what is wrong and will revisit pfsense with later release. Thanks and its a pity as pfsense promises alot.
CARP sync loop. AKA user pilot error.
-
I have no doubt it is a pilot error, so I have tried to fall back to the simplest configuration.
I am now running with no carp failover and no load balancing setup, so just WAN & OPT routing to 2 different public networks and LAN. So there is just one pfsense box, internet connectivity on both WAN and OPT network is by static IP. Could it be a problem that I have an IPCOP box on the same LAN subnet (different IP of course) which routes out via the same WAN gateway. Note that there are no duplicate IP's in use on any network.
Also if I dont add any VIP's and configure load balancing - that feature works fine. If I just add NAT for the primary IP's that also works fine.
Pfsense only falls over after adding more than one VIP and it doesn't seem to matter whether it is CARP, Proxy ARP or type other. I have a /24 subnet for my WAN and a /26 for the OPT network. Could it be a problem not have a full /24 subnet for the OPT network. Is it correct that I use the correct subnet when adding VIP's or should I use /32 for each VIP that is added.
Again any suggestions are appreciated.
-
ProxyARP IPs should be each /32.
CARP IPs should have the subnetmask of the real IP of the interface they are on and also be in the range of the subnet (it doesn't matter if you have a /29, /26 or /24 subnet, it just has to match the real interface settings). -
I believe I found the problem - it had nothing to do with either pfsense or the config - as suggested I seems it was a loopback issue of sorts.
I have a HP procurve switch with 2 vlan's (the WAN & OPT networks) configured. While there were no IP conflicts I think that due to the IPCOP box also being on the WAN vlan, the Procurve's ARP table was causing a broadcast storm and I assume linux "deals" with that differently to freebsd as IPCOP was not affected while pfsense fell over.
Anyway since replacing the procurve with 2 simple switches everything seems to be working okay now.
Thanks for your help.
-
I still wonder what should cause the destruction of the config.xml. Keep an eye on it. There might be something else going on which is unrelated to the other error.