IPv6 CARP with a /127

mmattice

I've been assigned a /127 by my ISP for our v6 routing. I've set up fake IPv6 addresses on that WAN interface and set our external address up as the CARP VIP. This seemed to work except CARP kept failing to work (double master problem due to leading zeros) and was causing issues with xmlrpc syncing the config to the HA secondary.

I attempted to strip the leading zeros, but got a "The broadcast address cannot be used for this VIP". There are no broadcast IP addresses on a v6 network as such. A /127 is a perfectly valid network to have two hosts on.

I've adjusted the code on the primary firewall manually in the following way which at least only makes the network/broadcast checks on v4 addresses. This is probably not the final form of this patch but I have a working system now with a proper master/backup status on my v6 interfaces. In fact, removing the v6 section in the else is probably a more proper way to fix this, but I don't know if (network|broadcast)_addr are used somewhere else.

--- firewall_virtual_ip_edit.php.bak	2018-11-20 19:59:18.205490000 +0000
+++ firewall_virtual_ip_edit.php	2018-11-20 19:59:48.149704000 +0000
@@ -141,16 +141,16 @@
 		if (is_ipaddrv4($_POST['subnet']) && $_POST['subnet_bits'] != "32" && $_POST['subnet_bits'] != "31") {
 			$network_addr = gen_subnet($_POST['subnet'], $_POST['subnet_bits']);
 			$broadcast_addr = gen_subnet_max($_POST['subnet'], $_POST['subnet_bits']);
+		        if (isset($network_addr) && $_POST['subnet'] == $network_addr) {
+	        		$input_errors[] = gettext("The network address cannot be used for this VIP");
+	        	} else if (isset($broadcast_addr) && $_POST['subnet'] == $broadcast_addr) {
+	        		$input_errors[] = gettext("The broadcast address cannot be used for this VIP");
+	        	}
 		} else if (is_ipaddrv6($_POST['subnet']) && $_POST['subnet_bits'] != "128") {
 			$network_addr = gen_subnetv6($_POST['subnet'], $_POST['subnet_bits']);
 			$broadcast_addr = gen_subnetv6_max($_POST['subnet'], $_POST['subnet_bits']);
 		}

-		if (isset($network_addr) && $_POST['subnet'] == $network_addr) {
-			$input_errors[] = gettext("The network address cannot be used for this VIP");
-		} else if (isset($broadcast_addr) && $_POST['subnet'] == $broadcast_addr) {
-			$input_errors[] = gettext("The broadcast address cannot be used for this VIP");
-		}
 	}

 	/* make sure new ip is within the subnet of a valid ip

mmattice

This is based on a 2.4.4-RELEASE pair of instances btw.

Derelict

You need 3 public addresses to do HA. This applies to IPv4 and IPv6.

Tell them you're doing VRRP and you need at least a /125.

If they are being that stingy with IPv6 addresses, well, get another ISP.

mmattice

From https://tools.ietf.org/html/rfc4291: In IPv6, all zeros and all ones are legal values for any field, unless specifically excluded. Specifically, prefixes may contain, or end with, zero-valued fields.

There is no such thing as a broadcast or network address in IPv6 and thus this check is wrong regardless.

That being said, empirical evidence disagrees with you. You just need IP addresses and a gateway set up. The only reason you "need" the other addresses is so they can monitor the gateway IP address.

I'm also really tired of people telling me to get another ISP, as if they grow on trees. Especially ones that can actually provide native v6 addresses.

Derelict

No, you need an address for each interface so they can make connections out when they are not CARP MASTER.

Derelict

If you think there is a bug, the proper place to post the steps to duplicate is https://redmine.pfsense.org/

mmattice

Luckily, I don't want the non-carp master making v6 requests. The backup has no need to do so.

Also, I, properly, read the information on redmine which said to post here first.

Derelict

The backup needs to make requests to do things like check for updates.