Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP issues

    Scheduled Pinned Locked Moved
    Virtualization
    2
    23
    2.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      steve40
      last edited by

      Gone through 3 switches now. 1 TP-link and two Cisco catalyst 2960G both reset to factory defaults running a completely vanilla out of the box config.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        And?

        Look at this file you sent: 1532558530465-when-its-broken.pcap

        Set a wireshark filter for icmp

        Start at frame 183 and look through frame 212.

        When the traffic is sourced from .172 (the CARP VIP) there is no response but the traffic IS being sent.

        When the traffic is sourced from .173 (the interface address) there is a response.

        You have to figure out what is going on UPSTREAM of the firewall that causes this to be true.

        I am going to move this to the Virtualization forum because that is where I'll bet your problem is. Some setting in the hypervisor. Maybe it will only allow one active MAC address on the interface at a time or something.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • S
          steve40
          last edited by

          Ok. Thanks for the reply

          Does anyone on the virtualization side have any ideas? Ive done pci passthrough via hostdev in libvirt xml and pci stubs in grub. Im under the impression that since the OS has no knowledge of the NIC card then neithier does libvirt since its a user space app. As i posted ealier freebesd sees the actual intel chipset instead of the standard e1000 emulated chip that QEMU provides to the guest. Also the mac addresses that pfsense sees on the NICs are those that are hardcoded on the hardware Additionally, the xml config has no entry for these nics and the centos cant even bring them up via ifup as the driver has never bound itself to the card.

          Maybe im missing something on the hypervisor side here but im under the impression that atandard anti spoofing mac address feature shouldnt apply here since libvirt is unaware of the existence or the card. Or is it?

          Thsnks

          1 Reply Last reply Reply Quote 0
          • First post
            Last post