IPv6 CARP created on lo0
-
Maybe firewall issue?
You checked that access to that vip is permitted? -
@ermal:
Maybe firewall issue?
You checked that access to that vip is permitted?Firewall on the LAN side allows all traffic (IPv4 + IPv6) so that shouldn't be the problem.
And yes, before I posted that I checked all firewall rules and checked the firewall log.
-
For the third time - are you getting a NDP response on the CARP IP? What's a packet capture filtering on the CARP IP on the firewall side look like?
-
I'm sorry, but if this:
@Willy:NDP result
2a02:xxx:101:1::3 dev eth0 lladdr d4:ae:52:c7:77:a4 router REACHABLE
2a02:xxx:101:1::2 dev eth0 lladdr d4:ae:52:c7:82:6c router REACHABLE
2a02:xxx:101:1::1 dev eth0 FAILEDis not a NDP response test then I do not know how to test that.
There is only one rule in the firewall that matches the CARP IP (2a02:xxx:101:1::1), and that's "Allow all".
-
oh sorry, I missed the post where you actually posted that. If you packet capture on the NIC of the firewall where that IP resides, filtering on the CARP IP, for example:
tcpdump -ni em0 host 2a02:xxx:101:1::1
Where em0 is the interface where that network resides, and try to ping the IP from somewhere on that network, what does that show?
-
Nothing is logged when pinging 2a02:xxx:101:1::1. If I ping 2a02:xxx:101:1::2 (the non-CARP IP of the master):
10:27:47.761220 IP6 2a02:xxx:101:1::20 > 2a02:xxx:101:1::2: ICMP6, echo request, seq 3, length 64
10:27:47.761238 IP6 2a02:xxx:101:1::2 > 2a02:xxx:101:1::20: ICMP6, echo reply, seq 3, length 64If I listen for IPv6 traffic, I see for every ping attempt the following:
10:29:30.684618 IP6 2a02:xxx:101:1::20 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a02:xxx:101:1::1, length 32 -
Today I did the same thing on another set of pfSense servers and the exact same thing is happening. CARP-IP address is unreachable. I upgraded these two servers to the latest snapshot before trying.
-
Changed the CARP to a IP-Alias and the IP became reachable. Changed it back to CARP and it keeps working :o
-
Probably try after some ndp timeout?
I would be curious to know that when you cannot ping it there is no ndp entry for the carp ip on the host from where you are trying this?!
-
Well, it stopped working by itself after some time.
@ermal:
Probably try after some ndp timeout?
No clue what you mean.
@ermal:
I would be curious to know that when you cannot ping it there is no ndp entry for the carp ip on the host from where you are trying this?!
Do you mean what "ip -6 neighbor show" shows?