A couple of thoughts on the CARP VIP setting in pfBlockerNG-devel 2.2.5_19.
silentnomad last edited by
Just a couple of thoughts on using the CARP VIP setting in pfBlockerNG-devel 2.2.5_19.
Setting VIP to CARP results in the same base and skew values on both the primary and secondary routers, causing uncertainty on which interface adopts MASTER status. I assume that when the incorrect interface adopts MASTER status that this will result in timeouts when the DNSBL Webserver needs to be accessed? Also, base and skew values can sometimes be too short on some LAN scenarios.
pfSense allows the user to manually choose base and skew when setting up CARP VIPs as that can help with any timing issues on the LAN. It would be good to see that level of control in pfBlockerNG-devel.
pfBlockerNG-devel sets a VHID of 1 to the CARP VIP on my system (YMMV). I assume that's because pfBlockerNG-devel finds the next available VHID on the interface. However, what if the user has other devices on the LAN that use the same VHID value? There is no way for pfBlockerNG-devel to know that, so I expect that the broadcast nature of CARP or VRRP would cause redundancy conflicts in such scenarios.
pfSense allows the user to manually set VHID to avoid redundancy conflicts, and it would be great to allow the user to do the same in pfBlockerNG-devel.
We CARP VIP users are not afraid of making manual configurations :)
That's all I've got.
This will be fixed in the next devel release...
silentnomad last edited by
Thank you, sir! pfBlockerNG-devel is a great upgrade. I really like the IP and domain block feeds list :)
Gabri.91 last edited by Gabri.91
sorry to taking up again this topic, but I'm facing the exact same two issues on two pfSense 2.4.5 in CARP with pfBlockerNG-devel 2.2.5_30
Should they have been fixed already or fix it's a bit difficult and it's taking some time?
I can survive with the VHID not customizable (1 was empty in my case but I'd like to put something much higher to distinguish between real interfaces), but SKEW issue it's quite annoying because I need to manually change it in the backup firewall and after some time (probably cron/reload) it reverts back to the same settings of the master.
I think the behaviour should be the same of standard pfSense CARP XMLRPC sync so it leaves the same base and adding +100 to the skew.
EDIT: Looking quickly through the code, even if I'm not a real PHP expert, I think the issue it's here
$advskew = (isset($config['virtualip_carp_maintenancemode'])) ? 'advskew 254' : 'advskew 0';
Because it detects only when the CARP it's down due to maintenance mode, not the "normal" configuration when the slave node is backup because master it's alive. I don't know if pfSense has a parameter to check it, because manually it's quite difficoult, you should check the interface where pfBlocker VIP is, then check for the VIPs and get the status of the VIP that it's not the pfBlocker one (that should be a "real" VIP).
Or maybe it could be easier, in case VIP Address type is CARP, to ask user to manually create the CARP Virtual IP from pfSense and then with a picker in pfBlocker ask to choose the Virtual IP? If it's in "normal" mode, pfBlocker could take care of creating Virtual IP etc. but in CARP mode, that is already an advanced function, you could leave it to pfSense and user so it will be easier to manage/customize (VHID, Base, Skew etc..)