Bug? Using CARP IP as WAN IP in console and fw rules

jackdig

Bug found and pull request created:
https://github.com/pfsense/pfsense/pull/3872

nuro

Thanks for this, it bit us quite badly on a box we have in AWS.
The patch fixed the ip for the WAN address, we just have a last issue where openvpn servers are now binding to the wrong ip (the vip), it might possibly be related.

jackdig

@nuro:

Thanks for this, it bit us quite badly on a box we have in AWS.
The patch fixed the ip for the WAN address, we just have a last issue where openvpn servers are now binding to the wrong ip (the vip), it might possibly be related.

What interface did you select in the openvpn server settings? "WAN"?

nuro

That is correct. Using the "WAN" interface in the server settings normally gave us the interface ip instead of the virtual ip.

jackdig

@nuro:

That is correct. Using the "WAN" interface in the server settings normally gave us the interface ip instead of the virtual ip.

In pfSense web gui, go to Diagnostics / Command Prompt.
Under "Execute PHP Commands", run:
printf(find_interface_ip("em2"));

But change "em2" to your WAN interface.
Do you get correct WAN IP, or VIP IP?

nuro

It returns our virtual ip.
Our real ip is xxx.xxx.127.4, and the php command returns xxx.xxx.127.22 which is our virtual ip.

jackdig

@nuro:

It returns our virtual ip.
Our real ip is xxx.xxx.127.4, and the php command returns xxx.xxx.127.22 which is our virtual ip.

I think it might be cached. I do not know the reason for wrong IP being cached, but you can change the cache.
Go to Diagnostics / Edit File.
Open each of these files, and change IP to WAN IP (if needed):
/var/db/wan_cacheip
/var/db/wan_ip
/var/db/em2_ip

Once again, change last one from "em2_ip" to your wan interface.

nuro

Ah, that was it, our openvpn servers are back to normal. Thanks for your help.
I'll keep any eye on it when she goes for a reboot again (not anytime soon), but this thread has given me some insight.

jackdig

@nuro:

Ah, that was it, our openvpn servers are back to normal. Thanks for your help.
I'll keep any eye on it when she goes for a reboot again (not anytime soon), but this thread has given me some insight.

Glad to hear it's working. We haven't put our 2.4.1 into production yet.

I wounder if it is a coincidence that for both you and me, it was the .22 vip that caused problem.

nuro

Yeah, kinda weird.
It's the only box where we have a vip on the WAN interface, so it slipped through the cracks when we tested it on another box.