Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 CARP created on lo0

    2.1 Snapshot Feedback and Problems - RETIRED
    3
    15
    3.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eri--
      last edited by

      Maybe firewall issue?
      You checked that access to that vip is permitted?

      1 Reply Last reply Reply Quote 0
      • W
        Willy
        last edited by

        @ermal:

        Maybe firewall issue?
        You checked that access to that vip is permitted?

        @Willy:

        Firewall on the LAN side allows all traffic (IPv4 + IPv6) so that shouldn't be the problem.

        And yes, before I posted that I checked all firewall rules and checked the firewall log.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          For the third time - are you getting a NDP response on the CARP IP? What's a packet capture filtering on the CARP IP on the firewall side look like?

          1 Reply Last reply Reply Quote 0
          • W
            Willy
            last edited by

            I'm sorry, but if this:
            @Willy:

            NDP result
            2a02:xxx:101:1::3 dev eth0 lladdr d4:ae:52:c7:77:a4 router REACHABLE
            2a02:xxx:101:1::2 dev eth0 lladdr d4:ae:52:c7:82:6c router REACHABLE
            2a02:xxx:101:1::1 dev eth0  FAILED

            is not a NDP response test then I do not know how to test that.

            There is only one rule in the firewall that matches the CARP IP (2a02:xxx:101:1::1), and that's "Allow all".

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              oh sorry, I missed the post where you actually posted that. If you packet capture on the NIC of the firewall where that IP resides, filtering on the CARP IP, for example:

              tcpdump -ni em0 host 2a02:xxx:101:1::1

              Where em0 is the interface where that network resides, and try to ping the IP from somewhere on that network, what does that show?

              1 Reply Last reply Reply Quote 0
              • W
                Willy
                last edited by

                Nothing is logged when pinging 2a02:xxx:101:1::1. If I ping 2a02:xxx:101:1::2 (the non-CARP IP of the master):
                10:27:47.761220 IP6 2a02:xxx:101:1::20 > 2a02:xxx:101:1::2: ICMP6, echo request, seq 3, length 64
                10:27:47.761238 IP6 2a02:xxx:101:1::2 > 2a02:xxx:101:1::20: ICMP6, echo reply, seq 3, length 64

                If I listen for IPv6 traffic, I see for every ping attempt the following:
                10:29:30.684618 IP6 2a02:xxx:101:1::20 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a02:xxx:101:1::1, length 32

                1 Reply Last reply Reply Quote 0
                • W
                  Willy
                  last edited by

                  Today I did the same thing on another set of pfSense servers and the exact same thing is happening. CARP-IP address is unreachable. I upgraded these two servers to the latest snapshot before trying.

                  1 Reply Last reply Reply Quote 0
                  • W
                    Willy
                    last edited by

                    Changed the CARP to a IP-Alias and the IP became reachable. Changed it back to CARP and it keeps working  :o

                    1 Reply Last reply Reply Quote 0
                    • E
                      eri--
                      last edited by

                      Probably try after some ndp timeout?

                      I would be curious to know that when you cannot ping it there is no ndp entry for the carp ip on the host from where you are trying this?!

                      1 Reply Last reply Reply Quote 0
                      • W
                        Willy
                        last edited by

                        Well, it stopped working by itself after some time.

                        @ermal:

                        Probably try after some ndp timeout?

                        No clue what you mean.

                        @ermal:

                        I would be curious to know that when you cannot ping it there is no ndp entry for the carp ip on the host from where you are trying this?!

                        Do you mean what "ip -6 neighbor show" shows?

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.