CARP issues
-
Oh, and sorry for not specifying. The packet captures and other files are in the debug.tar file and the log is in the other file
thanks again
-
Please download and post actual pcaps so wireshark can do the heavy lifting.
Thanks.
Also please describe exactly what is "working" and what isn't. Like what traffic to actually look at.
-
I'm posting a capture of the pfsense capture as it's working. meaning, this is the gateway I am literally connecting to this forum right now through .. I've got a continuous ping running to 8.8.8.8 as well. I about 5 minutes I'll be posting the capture taken when it stops working [0_1532557784353_while-working.cap](Uploading 100%)
-
-
You might want to set the pcaps to more than 100 frames.
That showed one request and one reply and no CARP.
The best thing to have in your case is probably a transition from working to not working. 10000 frames, 100000 frames. Whatever it takes.
-
-
-
Is there a package you haven't installed?
It also appears you are playing fast and loose with what is and isn't RFC1918.
-
I see nothing in those captures to indicate a problem.
"when-its-broken" When exactly WHAT is broken?
-
Can no longer connect to the internet and the continuous ping comes to an immediate halt
-
Cannot connect to the internet from where and continuous pings to what? What does cannot connect mean? DNS resolution? HTTP? HTTPS? What? To where? From where?
Sorry, but you are going to have to be far more specific. From what you have posted it looks like there is no problem on the WAN.
I am fairly sure this is an issue in your virtual environment/switching that will not be solved by changing anything in the firewall settings.
https://www.netgate.com/docs/pfsense/routing/connectivity-troubleshooting.html
https://www.netgate.com/docs/pfsense/highavailability/troubleshooting-high-availability-clusters.html
-
OK so it looks like there is no response to traffic when it is "broken" and the source is the CARP VIP. But the traffic is going out and there is no reply. You will need to investigate upstream and see why that is.
I don't see any ARP requests for the CARP VIP, and certainly none that are going unanswered.
So, it still points to something upstream probably in your layer 2.
-
Gone through 3 switches now. 1 TP-link and two Cisco catalyst 2960G both reset to factory defaults running a completely vanilla out of the box config.
-
And?
Look at this file you sent: 1532558530465-when-its-broken.pcap
Set a wireshark filter for
icmpStart at frame 183 and look through frame 212.
When the traffic is sourced from .172 (the CARP VIP) there is no response but the traffic IS being sent.
When the traffic is sourced from .173 (the interface address) there is a response.
You have to figure out what is going on UPSTREAM of the firewall that causes this to be true.
I am going to move this to the Virtualization forum because that is where I'll bet your problem is. Some setting in the hypervisor. Maybe it will only allow one active MAC address on the interface at a time or something.
-
Ok. Thanks for the reply
Does anyone on the virtualization side have any ideas? Ive done pci passthrough via hostdev in libvirt xml and pci stubs in grub. Im under the impression that since the OS has no knowledge of the NIC card then neithier does libvirt since its a user space app. As i posted ealier freebesd sees the actual intel chipset instead of the standard e1000 emulated chip that QEMU provides to the guest. Also the mac addresses that pfsense sees on the NICs are those that are hardcoded on the hardware Additionally, the xml config has no entry for these nics and the centos cant even bring them up via ifup as the driver has never bound itself to the card.
Maybe im missing something on the hypervisor side here but im under the impression that atandard anti spoofing mac address feature shouldnt apply here since libvirt is unaware of the existence or the card. Or is it?
Thsnks
