Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DHCP failover & manual work around

    1.2.3-PRERELEASE-TESTING snapshots - RETIRED
    2
    2
    2.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      FisherKing
      last edited by

      I don't know if this should be posted here or under the DHCP/DNS forum, but it takes place under 1.2.3, so I'm posting here.

      using 1.2.3 2009-04-07 13:23 snapshot, I've setup two pfsense boxes with three nics each (WAN, LAN, CARP).

      I've created a shared virtual IP on the LAN and have enabled synchronization from the primary to the secondary (checked all boxes).  I have verified that synchronization is working and that the secondary takes over when the primary goes down.

      For testing purposes, I have allowed all traffic on both the LAN and CARP interfaces.  Not secure I know, but this is in a testing environment.

      I've setup DHCP on the LAN and tried a couple of different configurations to get the failover to work using just the GUI.  I've set the same IP range on both boxes, and I've configured the DNS and Gateway fields with the same IP addresses on both boxes.  I've tried assigning different blocks of IPs to each box - but from what I've read on the ISC site, this approach isn't correct.  I've tried leaving DNS and gateway settings empty.  I have entered the secondary's real LAN address in the failover peer IP box, and I've entered the secondary's CARP address in the failover peer box.

      Just for good measure I've tried entering the primary's real LAN IP into the secondary's failover peer box.

      No matter how I configure the GUI, I can't get fail over to work.  Looking at the DHCP leases page, I see "My State" = Recover and "Peer State" = unknown, and it seems that either no addresses get handed out (when both primary and secondary have failover peer boxes filled) or that only the secondary hands out addresses (only the primary's failover peer box filled).

      Looking at the /var/dhcpd/etc/dhcpd.conf files on both boxes, I have observed the following:

      1. Entering an address in the primary's failover peer box causes dhcpd.conf to be correctly written to make that box the primary DHCP server.
      2. Entering an address in the primary's failover peer box does not change dhcpd.conf on the secondary server.
      3. Entering an address in the secondary's failover peer box configures the secondary's dhcpd.conf as the primary dhcp server.

      To work around this, I fill the secondary's failover peer box with the primary's real LAN IP address, click save, and then manually edit the dhcpd.conf files as follows:

      On the secondary box -
      I change the line that reads "primary;" to "secondary;"
      I delete the line that reads "split 128;"
      I change the line that reads "port 519" to "port 520"
        (The idea is to set the port and peer port to the same value.  I choose 520)

      I use "pgrep -lf dhcpd" to get the processID and command line of the running dhcpd process, then kill and restart the dhcpd server.  There's prob a better way to do this, but I'm not completely familiar with *nix systems.

      On the primary box -
      I change "port 519" and "peer port" to be the same value I set in the secondary's dhcpd.conf

      I then restart dhcpd on the primary.  It may actually be necessary to restart dhcpd on the secondary one more time, but - the net result is that the fail over status page shows that the two servers actually see each other.

      The draw back to this is that once either the primary or secondary restarts, the settings from config.xml will over-write the dhcpd.conf file and it will have to be adjusted all over again.

      It would seem that ideally, there would be a check box on the DHCP server page to indicate if this dhcp server is the primary or failover server, and the dhcpd.conf file would be configured accordingly.

      I suppose that another work around would be to chmod the files so they are read-only.  I don't know if that becomes an issue during failover / failback or not.

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        @FisherKing:

        I don't know if this should be posted here or under the DHCP/DNS forum, but it takes place under 1.2.3, so I'm posting here.

        I don't think you are seeing anything specific to 1.2.3 here, so yeah it should be in DHCP/DNS. If you have a config that works in 1.2.2, but not under 1.2.3, that's another matter.
        @FisherKing:

        I've setup DHCP on the LAN and tried a couple of different configurations to get the failover to work using just the GUI.  I've set the same IP range on both boxes, and I've configured the DNS and Gateway fields with the same IP addresses on both boxes.  I've tried assigning different blocks of IPs to each box - but from what I've read on the ISC site, this approach isn't correct.  I've tried leaving DNS and gateway settings empty.  I have entered the secondary's real LAN address in the failover peer IP box, and I've entered the secondary's CARP address in the failover peer box.

        Here's an example. Assume we have two boxes fw1 and fw2. Lan addresses are 192.168.1.2 and 192.168.1.3 respectively. There is a CARP VIP 192.168.1.1
        services, dhcp, LAN fw1:
        range 192.168.1.100 192.168.1.150
        DNS servers 192.168.1.1
        Gateway 192.168.1.1
        Failover Peer 192.168.1.3

        services, dhcp, LAN fw2:
        range 192.168.1.100 192.168.1.150
        DNS servers 192.168.1.1
        Gateway 192.168.1.1
        Failover Peer 192.168.1.2

        Try stopping and starting DHCP on both boxes and see if it goes to normal on the status screen. You should be able to do this without resorting to crazy hacks.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.