Carp Firewall rule clears after sync

ZackSmith

Hi,

I posted this in the firewall section aswell, everytime the rules sync the allow rule setup for traffic between carp interfaces clears and has to be set again. Is this normal behavior? has it been seen before?

thanks

Zack

ZackSmith

Ok, Does anyone know how I could add a cron job to put the rule back every hour or so?

Thanks

Zack

dotdash

I have never seen that happen, so I would tend to think you were doing something wrong.
Firewall, Virtual IPs, CARP settings- sync is checked on master, not on backup unit? You are doing edits on the master? Master is logging successful sync, etc?

ZackSmith

Yep everything is set up as described..

If I could figure out a way to check and readd the rule every hour or so that would help alot

Cheers

Zack

heiko

Master and Backup Firewall needs the same Interface order…

e.g. first tab LAN, second WAN, third CARP , both systems needs the same order in the firewall tabs.

ZackSmith

Yes this is correct also, all in the right order.

The rule on the backup firewall clears after successful  sync and you have to add it in before adding a new rule/carp ip/ipsec setting

Cheers

Zack

morbus

Are the interfaces all one the same if number? eg xl0
I have one box with 3 xl (3com) cards in it and the other has 4 xl
If you have one box with
xl0 - WAN
xl1 - LAN
xl2 - CARP_SYNC
and on the other one you have
xl0 - WAN
xl1 - LAN
xl2 - not used
xl3 - CARP_SYNC

and you assign xl2 on the master as carp sync that rule will be copied to xl2 on the slave and not the one named CARP_SYNC
This will also cause problems if you have a mix of NICs from different manufactures eg xl and fxp

pfs used to copy on the name but this is broke in 2.0. I haven't used 1.2… for ages so I don't know if this applies there

ZackSmith

my Interfaces are:

fw0:
LAN BGE1
WAN BGE0
Lan2 RE0
CARP RE1

fw1:
LAN BGE1
WAN BGE0
Lan2 RE0
CARP RE1

All other rules on other interfaces/Vlans sync fine..

Hoping when the new version is available it will sort it. Other than that I'll have to work out a cron job to insert the rule every hour or so..

Thanks

Zack

dotdash

I'm still of the opinion that if this were a bug, someone else would have seen it. You could post your sanitized configs from both firewalls and someone might be willing to look them over.

Eugene

what  if you try to add on master firewall some weird distinguishable rule on carp interface (i suspect this is interface for pfsync), does it appear on slave firewall on any other interface?