PfSense 2.0RC2: DHCP cluster recover/unknown-state
-
Forgot to ask, also need to see something like the banner from the console that shows what interface names are assigned to which physical/vlan interfaces.
-
Ok, I don't understand it quit really. What information is missing?
ifconfig -a shows interface name and corresponding IP adress, vlans are prefixed with corespondig parent interface. Do you mean interface names like LAN, OPT1, WAN? I don't find them in any previously given data like dhcpd.conf. For what do you need this info?
-
Because without that it's a lot of needless work trying to figure out how they match up. You should want to make it easier for people who are trying to help you, not harder. :-)
-
Ok, here you are:
Node 1:
WAN (wan) -> em0 -> 192.168.2.21 LAN (lan) -> em1_vlan40 -> 192.168.0.102 WLAN1 (opt1) -> em1_vlan45 -> 10.5.0.3 WLAN2 (opt2) -> em1_vlan46 -> 192.168.6.3 WLAN3 (opt3) -> em1_vlan47 -> 192.168.7.3 STW (opt4) -> em1_vlan66 -> 192.168.66.3 BEAMER (opt5) -> em1_vlan50 -> 192.168.4.3 IRMC (opt6) -> em1_vlan60 -> 192.168.60.3 LABOR (opt7) -> em1_vlan1037 -> 10.10.37.3Node 2:
WAN (wan) -> bge0 -> 192.168.2.20 LAN (lan) -> em0_vlan40 -> 192.168.0.101 WLAN1 (opt1) -> em0_vlan45 -> 10.5.0.2 WLAN2 (opt2) -> em0_vlan46 -> 192.168.6.2 WLAN3 (opt3) -> em0_vlan47 -> 192.168.7.2 STW (opt4) -> bge1 -> 192.168.66.2 BEAMER (opt5) -> em1 -> 192.168.4.2 IRMC (opt6) -> em1_vlan60 -> 192.168.60.2 LABOR (opt7) -> em2 -> 10.10.37.2Node 1 has dedicated (giga) interfaces for most networks, node 2 is just a backup with two physical interfaces and many vlans on LAN side. There may exist a bottle neck in failover state, but primary node hardware can be replaced within 1 hour.
-
That all looks ok.
By chance on the failing interfaces are you running captive portal?
-
I must disappoint you, but we don't run captive portals on any interface.
-
ok. Well try to ping both ways from the command line again and show the full error messages that you get from both directions.
This really has nothing to do with DHCP specifically, and if you fix the connectivity between the firewalls on those interfaces/VLANs then it will likely start to work.
-
Here you can see the difference. One works without problem. The other one makes problems. Is my syntax right for ping when specifying interfaces?
Why multicast interface?[2.0-RC2][root@pfsense01.mydomain.net]/root(8): ping 192.168.66.3
PING 192.168.66.3 (192.168.66.3): 56 data bytes
64 bytes from 192.168.66.3: icmp_seq=0 ttl=64 time=0.234 ms
64 bytes from 192.168.66.3: icmp_seq=1 ttl=64 time=0.271 ms
^C
–- 192.168.66.3 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.234/0.253/0.271/0.019 ms
[2.0-RC2][root@pfsense01.mydomain.net]/root(9): ping 192.168.4.3
PING 192.168.4.3 (192.168.4.3): 56 data bytes
ping: sendto: Invalid argument
ping: sendto: Invalid argument
ping: sendto: Invalid argument
ping: sendto: Invalid argument
^C
–- 192.168.4.3 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
[2.0-RC2][root@pfsense01.mydomain.net]/root(10): ping -I em1 192.168.4.3
ping: invalid multicast interface: `em1'
[2.0-RC2][root@pfsense01.mydomain.net]/root(11):[2.0-RC2][root@pfsense02.mydomain.net]/root(1): ping 192.168.66.2
PING 192.168.66.2 (192.168.66.2): 56 data bytes
64 bytes from 192.168.66.2: icmp_seq=0 ttl=64 time=0.356 ms
64 bytes from 192.168.66.2: icmp_seq=1 ttl=64 time=0.232 ms
^C
–- 192.168.66.2 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.232/0.294/0.356/0.062 ms
[2.0-RC2][root@pfsense02.mydomain.net]/root(2): ping 192.168.4.2
PING 192.168.4.2 (192.168.4.2): 56 data bytes
ping: sendto: Invalid argument
ping: sendto: Invalid argument
ping: sendto: Invalid argument
^C
–- 192.168.4.2 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
[2.0-RC2][root@pfsense02.mydomain.net]/root(3): ping -I em1_vlan50 192.168.4.2
ping: invalid multicast interface: `em1_vlan50' -
You should not need to use -I at all. If you ping, it should follow the routing table and go to the local interface.
Check netstat -rn (or Diagnostics > Routes) and see if anything there doesn't look quite right. Also make sure you don't have any overlapping subnets in things like IPsec.
You should be able to just ping one from the other with "ping <ip>" and if that doesn't work, there is definitely something wrong somewhere.</ip>
-
Hmmm, ok. That is a good suggestion.
There are differences in routing table. On node 1 there are entries for the peers, on node 2 are these peer routes missing.
But that should not make any influence, since some peer ip addresses are pingable, others not - even with these different routing tables.Node 1:
Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.2.254 UGS 0 118708283 bge0 10.5.0.0/22 link#13 U 0 69244840 em0_vl 10.5.0.1 link#20 UH 0 1188 vip3 10.5.0.2 link#13 UHS 0 6 lo0 10.10.37.0/24 link#3 U 0 25859 em2 10.10.37.1 link#26 UH 0 0 vip9 10.10.37.2 link#3 UHS 0 0 lo0 127.0.0.1 link#8 UH 0 266 lo0 192.168.0.0/24 link#12 U 0 3064447 em0_vl 192.168.0.1 link#19 UH 0 0 vip2 192.168.0.101 link#12 UHS 0 0 lo0 192.168.4.0/24 link#2 U 0 1920393 em1 192.168.4.1 link#24 UH 0 0 vip7 192.168.4.2 link#2 UHS 0 2 lo0 192.168.6.0/24 link#14 U 0 0 em0_vl 192.168.6.1 link#21 UH 0 0 vip4 192.168.6.2 link#14 UHS 0 0 lo0 192.168.7.0/24 link#15 U 0 0 em0_vl 192.168.7.1 link#22 UH 0 0 vip5 192.168.7.2 link#15 UHS 0 0 lo0 192.168.60.0/24 link#16 U 0 23881393 em1_vl 192.168.60.1 link#25 UH 0 0 vip8 192.168.60.2 link#16 UHS 0 0 lo0 192.168.66.0/24 link#6 U 0 73122252 bge1 192.168.66.1 link#23 UH 0 0 vip6 192.168.66.2 link#6 UHS 0 2 lo0 192.168.2.0/24 link#5 U 0 9838447 bge0 192.168.2.10 link#17 UH 0 0 vip10 192.168.2.20 link#5 UHS 0 0 lo0 192.168.2.22 link#18 UH 0 243 vip1 192.168.2.31 link#27 UH 0 0 vip11Node 2:
Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.2.254 UGS 0 182600 em0 10.5.0.0/22 link#11 U 0 104151 em1_vl 10.5.0.3 link#11 UHS 0 0 lo0 10.10.37.0/24 link#17 U 0 0 em1_vl 10.10.37.3 link#17 UHS 0 0 lo0 127.0.0.1 link#6 UH 0 526 lo0 192.168.0.0/24 link#10 U 0 1528 em1_vl 192.168.0.102 link#10 UHS 0 2 lo0 192.168.4.0/24 link#15 U 0 1026 em1_vl 192.168.4.3 link#15 UHS 0 0 lo0 192.168.6.0/24 link#12 U 0 0 em1_vl 192.168.6.3 link#12 UHS 0 0 lo0 192.168.7.0/24 link#13 U 0 0 em1_vl 192.168.7.3 link#13 UHS 0 0 lo0 192.168.60.0/24 link#16 U 0 335071 em1_vl 192.168.60.3 link#16 UHS 0 0 lo0 192.168.66.0/24 link#14 U 0 59040 em1_vl 192.168.66.3 link#14 UHS 0 0 lo0 192.168.2.0/24 link#1 U 0 250104 em0 192.168.2.21 link#1 UHS 0 0 lo0
