Carp Firewall rule clears after sync



  • Hi,

    I posted this in the firewall section aswell, everytime the rules sync the allow rule setup for traffic between carp interfaces clears and has to be set again. Is this normal behavior? has it been seen before?

    thanks

    Zack



  • Ok, Does anyone know how I could add a cron job to put the rule back every hour or so?

    Thanks

    Zack



  • I have never seen that happen, so I would tend to think you were doing something wrong.
    Firewall, Virtual IPs, CARP settings- sync is checked on master, not on backup unit? You are doing edits on the master? Master is logging successful sync, etc?



  • Yep everything is set up as described..

    If I could figure out a way to check and readd the rule every hour or so that would help alot

    Cheers

    Zack



  • Master and Backup Firewall needs the same Interface order…

    e.g. first tab LAN, second WAN, third CARP , both systems needs the same order in the firewall tabs.



  • Yes this is correct also, all in the right order.

    The rule on the backup firewall clears after successful  sync and you have to add it in before adding a new rule/carp ip/ipsec setting

    Cheers

    Zack



  • Are the interfaces all one the same if number? eg xl0
    I have one box with 3 xl (3com) cards in it and the other has 4 xl
    If you have one box with
    xl0 - WAN
    xl1 - LAN
    xl2 - CARP_SYNC
    and on the other one you have
    xl0 - WAN
    xl1 - LAN
    xl2 - not used
    xl3 - CARP_SYNC

    and you assign xl2 on the master as carp sync that rule will be copied to xl2 on the slave and not the one named CARP_SYNC
    This will also cause problems if you have a mix of NICs from different manufactures eg xl and fxp

    pfs used to copy on the name but this is broke in 2.0. I haven't used 1.2… for ages so I don't know if this applies there



  • my Interfaces are:

    fw0:
    LAN BGE1
    WAN BGE0
    Lan2 RE0
    CARP RE1

    fw1:
    LAN BGE1
    WAN BGE0
    Lan2 RE0
    CARP RE1

    All other rules on other interfaces/Vlans sync fine..

    Hoping when the new version is available it will sort it. Other than that I'll have to work out a cron job to insert the rule every hour or so..

    Thanks

    Zack



  • I'm still of the opinion that if this were a bug, someone else would have seen it. You could post your sanitized configs from both firewalls and someone might be willing to look them over.



  • what  if you try to add on master firewall some weird distinguishable rule on carp interface (i suspect this is interface for pfsync), does it appear on slave firewall on any other interface?


Log in to reply