Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Netgate XG-7100 & Virual IP

    Official NetgateĀ® Hardware
    4
    13
    216
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • PPCM
      PPCM last edited by

      Hi there,

      We made a new install on 2 Netgate XG-7100 for HA
      Everything works fine, except one thing: Virual IP

      We are not able to ping VIP?

      There some docs like:
      https://docs.netgate.com/pfsense/en/latest/book/highavailability/high-availability-troubleshooting.html
      and
      https://docs.netgate.com/pfsense/en/latest/highavailability/troubleshooting-high-availability-clusters.html
      But, where the answer?

      I made a test with Virtualbox, and to make it works, network interfaces must be in promiscuous mode. So in the test, now things work fine.
      Now, I have no idea to reproduce the same thing with the XG-7100

      Any suggestion?
      Thanks

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        You will want to post exactly what you have done. There is nothing special about the XG-7100 and CARP VIPs other than what is here:

        https://docs.netgate.com/pfsense/en/latest/solutions/xg-7100-1u/switch-overview.html#high-availability

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • PPCM
          PPCM last edited by PPCM

          Thanks for the answer

          I made a simple test on the XG-7100

          I reset to factory settings both appliances.
          On router 1:
          LAN IP Address is set: 192.168.3.252/22

          On router 2:
          LAN IP Address is set: 192.168.3.253/22

          On both appliances, LAN is connected and webConfigurator is available. In addition, I am able to ping, from my network, 192.168.3.252 and 192.168.3.253

          Now for VIP, the following configutaion is set on both routers:
          Type : CARP
          Interface : LAN
          Address(es) : 192.168.3.250 / 22
          Virtual IP Password : *******
          VHID group : 1
          Advertising frequency : 1 / 0

          On Status / CARP (failover) for router 1 : LAN@1 192.168.3.250/22 MASTER
          On Status / CARP (failover) for router 2 : LAN@1 192.168.3.250/22 BACKUP

          From my network, I am not able to ping 192.168.3.250
          On router 1, I am able to ping 192.168.3.250
          On router 2, I am not able to ping 192.168.3.250

          When I disconnect the network cable from router 1, router 1 is no more available (of course)
          On Status / CARP (failover) for router 2 : LAN@1 192.168.3.250/22 MASTER

          And from my network, I am not able to ping 192.168.3.250
          On router 2, I am able to ping 192.168.3.250

          I don't know what to do to make 192.168.3.250 reachable from my network like 192.168.3.252 and 192.168.3.253.
          As I said, with the test on Virualbox, I had to set promiscuous mode for network interfaces...

          Thanks for your help

          PPCM 1 Reply Last reply Reply Quote 0
          • PPCM
            PPCM @PPCM last edited by

            I notice that sometimes, when I ping 192.168.3.250, a packet can pass

            1 Reply Last reply Reply Quote 0
            • Derelict
              Derelict LAYER 8 Netgate last edited by Derelict

              I cannot test with two XG-7100s because I only have immediate access to one.

              That said I have no problems with CARP VIPs on LAN:

              5406dca8-8fb8-44d8-964e-cd8bdcdcf159-image.png

              $ ping -c3 192.168.1.1
              PING 192.168.1.1 (192.168.1.1): 56 data bytes
              64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.184 ms
              64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.289 ms
              64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.307 ms

              --- 192.168.1.1 ping statistics ---
              3 packets transmitted, 3 packets received, 0.0% packet loss
              round-trip min/avg/max/stddev = 0.184/0.260/0.307/0.054 ms
              $ ping -c3 192.168.1.2
              PING 192.168.1.2 (192.168.1.2): 56 data bytes
              64 bytes from 192.168.1.2: icmp_seq=0 ttl=64 time=0.407 ms
              64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.269 ms
              64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=0.329 ms

              --- 192.168.1.2 ping statistics ---
              3 packets transmitted, 3 packets received, 0.0% packet loss
              round-trip min/avg/max/stddev = 0.269/0.335/0.407/0.056 ms
              $ ping -c3 192.168.1.3
              PING 192.168.1.3 (192.168.1.3): 56 data bytes
              64 bytes from 192.168.1.3: icmp_seq=0 ttl=64 time=0.395 ms
              64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=0.359 ms
              64 bytes from 192.168.1.3: icmp_seq=2 ttl=64 time=0.364 ms

              --- 192.168.1.3 ping statistics ---
              3 packets transmitted, 3 packets received, 0.0% packet loss
              round-trip min/avg/max/stddev = 0.359/0.373/0.395/0.016 ms
              $ ping -c3 192.168.1.254
              PING 192.168.1.254 (192.168.1.254): 56 data bytes
              64 bytes from 192.168.1.254: icmp_seq=0 ttl=64 time=0.410 ms
              64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=0.196 ms
              64 bytes from 192.168.1.254: icmp_seq=2 ttl=64 time=0.199 ms

              --- 192.168.1.254 ping statistics ---
              3 packets transmitted, 3 packets received, 0.0% packet loss
              round-trip min/avg/max/stddev = 0.196/0.268/0.410/0.100 ms
              $ arp -an
              ? (192.168.1.1) at 0:8:a2:e:a8:63 on en0 ifscope [ethernet]
              ? (192.168.1.2) at 0:0:5e:0:1:1 on en0 ifscope [ethernet]
              ? (192.168.1.3) at 0:0:5e:0:1:2 on en0 ifscope [ethernet]
              ? (192.168.1.254) at 0:0:5e:0:1:3 on en0 ifscope [ethernet]
              ? (192.168.1.255) at ff:ff:ff:ff:ff:ff on en0 ifscope [ethernet]

              CARP issues like you are describing are almost always something funky at layer 2. You probably want to describe how you have it all connected.

              Chattanooga, Tennessee, USA
              The pfSense Book is free of charge!
              DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • Frankye
                Frankye last edited by

                The Interfaces -> Switches part is not synced via CARP IIRC, could it be possible you have made a configuration error on one of the two members?

                1 Reply Last reply Reply Quote 0
                • stephenw10
                  stephenw10 Netgate Administrator last edited by

                  Curious. Since they correctly show as Master/Backup when joined you must have layer 2 connectivity between them at least. I would certainly expect to be able to ping the VIP from the secondary unless you have firewall rules specifically blocking it, or not passing it.
                  If you rules on LAN allow pinging the LAN address rather than LAN net that would do it.

                  Steve

                  Derelict 1 Reply Last reply Reply Quote 0
                  • Derelict
                    Derelict LAYER 8 Netgate @stephenw10 last edited by

                    @stephenw10 said in Netgate XG-7100 & Virual IP:

                    Curious. Since they correctly show as Master/Backup when joined you must have layer 2 connectivity between them at least. I would certainly expect to be able to ping the VIP from the secondary unless you have firewall rules specifically blocking it, or not passing it.
                    If you rules on LAN allow pinging the LAN address rather than LAN net that would do it.

                    Steve

                    Except:

                    PPCM a day ago

                    I notice that sometimes, when I ping 192.168.3.250, a packet can pass

                    Chattanooga, Tennessee, USA
                    The pfSense Book is free of charge!
                    DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • stephenw10
                      stephenw10 Netgate Administrator last edited by

                      Maybe an open icmp state from an outbound test when that happens?

                      1 Reply Last reply Reply Quote 0
                      • Derelict
                        Derelict LAYER 8 Netgate last edited by

                        Maybe - generally starting a new ping doesn't match dangling states.

                        Chattanooga, Tennessee, USA
                        The pfSense Book is free of charge!
                        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • stephenw10
                          stephenw10 Netgate Administrator last edited by

                          True, it would have a different ID if pinging from pfSense.. šŸ¤”

                          1 Reply Last reply Reply Quote 0
                          • PPCM
                            PPCM last edited by

                            Thanks a lot for all your help

                            It is a fresh install, no rule is added

                            About the connection, both XG-7100 are connected on a freshly reseted switch (DELL N1524P) on the LAN network of routers (Eth4 on each of them)

                            Nothing special, that's why I can't understand...

                            1 Reply Last reply Reply Quote 0
                            • Derelict
                              Derelict LAYER 8 Netgate last edited by

                              Connect LAN-to-LAN on the 7100s (Like ETH3 - ETH3)

                              Connect a workstation to another LAN port on either of the firewalls (ETH4 to ETH8).

                              Does your problem go away?

                              If so, it's the Dell switch.

                              Chattanooga, Tennessee, USA
                              The pfSense Book is free of charge!
                              DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post