Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.3.2 WAN VIP blocks ping/management intermittently. Port forwards always work.

    HA/CARP/VIPs
    2
    3
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      preid
      last edited by

      Hi guys.

      I've run into something weird. I have a 2.3.2 cluster with 4 VIPs configured (2 WANs, 2 LANs).

      I am often unable to ping or connect to the webConfigurator on the WAN VIP. The problem comes and goes. Sometimes it'll work, and sometimes it won't. I can always reach the webConfigurator and ping the VIPs on the LANs, and I can always reach the webConfigurator and ping the real WAN IPs for the nodes. It's just the VIP on the WAN that seems to be a problem.

      The interesting thing is that port forwards through the WAN VIP always work, even when they're originating from the same machine that can't ping or reach the webConfigurator on the WAN VIP.

      I do have firewall rules set for the WAN interface (and indeed, every interface) to allow ping and connectivity to the webConfigurator from my IPs (otherwise I wouldn't be able to ping or connect when using the nodes real WAN IPs) - and like I say, sometimes it works for a little bit, then stops again.

      I've failed the nodes over and back, and the problem persists even when the slave takes over.

      The problem doesn't make sense to me.

      Any ideas of where I can look, or what I can do to diagnose the issue?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Standard Network Connectivity troubleshooting to see what's really failing. What you are seeing is certainly not normal.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • P
          preid
          last edited by

          Thanks for the reply, Derelict.

          Sorry for my slow reply. I went in for surgery, and am just back on my feet again.

          It is indeed unusual. I can see the connection in the state table of the master node, with TIME_WAIT:TIME_WAIT, and 9/4 packets, but the browser tells me the connection was reset, and indeed telnet to the management port is denied as well. ARP of the pfSense VIP is correct on the pinging machine, and ARP of the pinging machine is correct on the pfSense box. It seems like pfSense is blocking the connections, even though it's been told to allow them through (my allow rule uses an alias that includes the VIP and both real IPs of the pfSense boxes). Very, very strange.

          I'll walk through the Network Connectivity process and see if it turns up anything.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.