Stacked IP alias on carp doesn't work

Andy_ · Jul 15, 2014, 10:12 AM

To keep carp traffic to a minimum, I used an existing carp interface as parent for an ip alias, both sharing the same subnet as suggested in https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses .
Still, the ip alias doesn't come up, only the carp ip address visible when executing ifconfig wan_vip1. No hint in the system log, just the successful xmlrpc sync. Version: 2.1.4

Any hints?

Regards
Andreas

cthomas · Jul 15, 2014, 1:31 PM

What version of pfSense?

Andy_ · Jul 16, 2014, 8:56 AM

As stated, V2.1.4

sepulworld · Aug 21, 2014, 3:30 AM

I have the same exact issue:

2.1.4-RELEASE (amd64)
built on Fri Jun 20 12:59:50 EDT 2014
FreeBSD 8.3-RELEASE-p16

After upgrading to 2.1.4 from 2.1.1 (I can't remember exact previous version but it was 2.1 and above). The wan_vip1 had the IP alias addresses showing when I did an ifconfig.

After upgrade and reboot… both firewalls in active/standby pair no longer show the virtual IP alias entries in ifconfig BUT they are still being announced and work somehow. However when I go to add new Virtual IPs as IP alias (Same subnet as WAN VIP) they don't work at all. The interface and XML configuration show them though. The IP Alias will work if I assign them to the WAN instead of the floating WAN IP though. Not ideal since it won't be managed by CARP.

Where should I look to see what is going on? Any ideas?

Thanks in advance.

RobEmery · Aug 21, 2014, 2:27 PM

CARP + VIPs on 2.1.4 is a bit broken; it doesn't apply the Aliases to the interface:

@jimp:

If you use IP Alias type VIPs layered on top of CARP VIPs, use the System Patches package to apply this fix (committed this morning):

https://github.com/pfsense/pfsense/commit/2bf2a1c4c9a4ed1c378891e2b0e55edf3ed1a658

We've patched our 2.1.4's and it works again fine.

sepulworld · Aug 21, 2014, 2:57 PM

Thank you for sharing RobEmery. Will it take a while for this patch to make to a release? I am relatively new to PFsense.

RobEmery · Aug 21, 2014, 5:20 PM

@sepulworld:

Will it take a while for this patch to make to a release? I am relatively new to PFsense.

I haven't a clue, security patches seem to have been every couple of months for 2.1.x hopefully 2.1.5 is due soon

RobEmery · Aug 28, 2014, 10:32 PM

FWIW 2.1.5 is out today; and apparently has this issue fixed: https://blog.pfsense.org/?p=1401

JeGr · Sep 9, 2014, 7:20 PM

@Rob Hate to disappoint you, while the main problem is indeed fixed (no aliases were created with 2.1.4 anymore), there still is a bug with deleting said aliases. They won't get deleted on the backup node, thus bringing chaos to the CARP stack on that interface leading to a split-brain (master/master) situation on that interface (can be resolved by rebooting the standby node or manually deleting the aliases on the VIP interface in a root shell on console).

So my advice: be careful.

RobEmery · Sep 12, 2014, 7:49 AM

@JeGr:

@Rob Hate to disappoint you, while the main problem is indeed fixed (no aliases were created with 2.1.4 anymore), there still is a bug with deleting said aliases. They won't get deleted on the backup node, thus bringing chaos to the CARP stack on that interface leading to a split-brain (master/master) situation on that interface (can be resolved by rebooting the standby node or manually deleting the aliases on the VIP interface in a root shell on console).

So my advice: be careful.

Interesting! Do you know how long this bug has stood for, we've always had interesting behaviour with CARP + VIPs and failovers; we've always ended up rebooting the secondary for "random" problems like these.