IPv6 CARP created on lo0
-
I created two CARP IPv6, one on WAN and one on LAN. Both do not work. When checking routes it appears that the CARP is created on lo0 instead of xxx_vipx.
See attached screenshots.
-
That's how it should look, it's a local IP and a link route. Every locally assigned IP, CARP or otherwise, shows up as lo0 in the routing table.
v6 on CARP definitely works in general. What doesn't work about it? Getting NDP?
-
IPv4 carp is created on xxx_vipx, see attachment. I assumed IPv6 would do the same.
I can't reach the IPv6 CARP addresses. Can't ping them for example while I can ping the normal IPv6 address of the networkcards. Firewall on the LAN side allows all traffic (IPv4 + IPv6) so that shouldn't be the problem.
-
Ah yeah that is inconsistent between v4 CARP and v6 CARP for some reason in FreeBSD. All IPv4 and v6 aliases are lo0, all v6 CARP are lo0. That's not the reason, all our working boxes are that way.
Do you get a NDP response? You using v4 CARP too and it's working?
-
IPv4 CARP is working correctly.
NDP result
2a02:xxx:101:1::3 dev eth0 lladdr d4:ae:52:c7:77:a4 router REACHABLE
2a02:xxx:101:1::2 dev eth0 lladdr d4:ae:52:c7:82:6c router REACHABLE
2a02:xxx:101:1::1 dev eth0 FAILED1 = CARP, 2 = pfm, 3 = pfs
-
Maybe firewall issue?
You checked that access to that vip is permitted? -
@ermal:
Maybe firewall issue?
You checked that access to that vip is permitted?Firewall on the LAN side allows all traffic (IPv4 + IPv6) so that shouldn't be the problem.
And yes, before I posted that I checked all firewall rules and checked the firewall log.
-
For the third time - are you getting a NDP response on the CARP IP? What's a packet capture filtering on the CARP IP on the firewall side look like?
-
I'm sorry, but if this:
@Willy:NDP result
2a02:xxx:101:1::3 dev eth0 lladdr d4:ae:52:c7:77:a4 router REACHABLE
2a02:xxx:101:1::2 dev eth0 lladdr d4:ae:52:c7:82:6c router REACHABLE
2a02:xxx:101:1::1 dev eth0 FAILEDis not a NDP response test then I do not know how to test that.
There is only one rule in the firewall that matches the CARP IP (2a02:xxx:101:1::1), and that's "Allow all".
-
oh sorry, I missed the post where you actually posted that. If you packet capture on the NIC of the firewall where that IP resides, filtering on the CARP IP, for example:
tcpdump -ni em0 host 2a02:xxx:101:1::1
Where em0 is the interface where that network resides, and try to ping the IP from somewhere on that network, what does that show?
-
Nothing is logged when pinging 2a02:xxx:101:1::1. If I ping 2a02:xxx:101:1::2 (the non-CARP IP of the master):
10:27:47.761220 IP6 2a02:xxx:101:1::20 > 2a02:xxx:101:1::2: ICMP6, echo request, seq 3, length 64
10:27:47.761238 IP6 2a02:xxx:101:1::2 > 2a02:xxx:101:1::20: ICMP6, echo reply, seq 3, length 64If I listen for IPv6 traffic, I see for every ping attempt the following:
10:29:30.684618 IP6 2a02:xxx:101:1::20 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a02:xxx:101:1::1, length 32 -
Today I did the same thing on another set of pfSense servers and the exact same thing is happening. CARP-IP address is unreachable. I upgraded these two servers to the latest snapshot before trying.
-
Changed the CARP to a IP-Alias and the IP became reachable. Changed it back to CARP and it keeps working :o
-
Probably try after some ndp timeout?
I would be curious to know that when you cannot ping it there is no ndp entry for the carp ip on the host from where you are trying this?!
-
Well, it stopped working by itself after some time.
@ermal:
Probably try after some ndp timeout?
No clue what you mean.
@ermal:
I would be curious to know that when you cannot ping it there is no ndp entry for the carp ip on the host from where you are trying this?!
Do you mean what "ip -6 neighbor show" shows?