Netgate XG-7100 & Virual IP

PPCM

Hi there,

We made a new install on 2 Netgate XG-7100 for HA
Everything works fine, except one thing: Virual IP

We are not able to ping VIP?

There some docs like:
https://docs.netgate.com/pfsense/en/latest/book/highavailability/high-availability-troubleshooting.html
and
https://docs.netgate.com/pfsense/en/latest/highavailability/troubleshooting-high-availability-clusters.html
But, where the answer?

I made a test with Virtualbox, and to make it works, network interfaces must be in promiscuous mode. So in the test, now things work fine.
Now, I have no idea to reproduce the same thing with the XG-7100

Any suggestion?
Thanks

Derelict

You will want to post exactly what you have done. There is nothing special about the XG-7100 and CARP VIPs other than what is here:

https://docs.netgate.com/pfsense/en/latest/solutions/xg-7100-1u/switch-overview.html#high-availability

PPCM

Thanks for the answer

I made a simple test on the XG-7100

I reset to factory settings both appliances.
On router 1:
LAN IP Address is set: 192.168.3.252/22

On router 2:
LAN IP Address is set: 192.168.3.253/22

On both appliances, LAN is connected and webConfigurator is available. In addition, I am able to ping, from my network, 192.168.3.252 and 192.168.3.253

Now for VIP, the following configutaion is set on both routers:
Type : CARP
Interface : LAN
Address(es) : 192.168.3.250 / 22
Virtual IP Password : *******
VHID group : 1
Advertising frequency : 1 / 0

On Status / CARP (failover) for router 1 : LAN@1 192.168.3.250/22 MASTER
On Status / CARP (failover) for router 2 : LAN@1 192.168.3.250/22 BACKUP

From my network, I am not able to ping 192.168.3.250
On router 1, I am able to ping 192.168.3.250
On router 2, I am not able to ping 192.168.3.250

When I disconnect the network cable from router 1, router 1 is no more available (of course)
On Status / CARP (failover) for router 2 : LAN@1 192.168.3.250/22 MASTER

And from my network, I am not able to ping 192.168.3.250
On router 2, I am able to ping 192.168.3.250

I don't know what to do to make 192.168.3.250 reachable from my network like 192.168.3.252 and 192.168.3.253.
As I said, with the test on Virualbox, I had to set promiscuous mode for network interfaces...

Thanks for your help

PPCM

I notice that sometimes, when I ping 192.168.3.250, a packet can pass

Derelict

I cannot test with two XG-7100s because I only have immediate access to one.

That said I have no problems with CARP VIPs on LAN:

$ ping -c3 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.184 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.289 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.307 ms

--- 192.168.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.184/0.260/0.307/0.054 ms
$ ping -c3 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: icmp_seq=0 ttl=64 time=0.407 ms
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.269 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=0.329 ms

--- 192.168.1.2 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.269/0.335/0.407/0.056 ms
$ ping -c3 192.168.1.3
PING 192.168.1.3 (192.168.1.3): 56 data bytes
64 bytes from 192.168.1.3: icmp_seq=0 ttl=64 time=0.395 ms
64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=0.359 ms
64 bytes from 192.168.1.3: icmp_seq=2 ttl=64 time=0.364 ms

--- 192.168.1.3 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.359/0.373/0.395/0.016 ms
$ ping -c3 192.168.1.254
PING 192.168.1.254 (192.168.1.254): 56 data bytes
64 bytes from 192.168.1.254: icmp_seq=0 ttl=64 time=0.410 ms
64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=0.196 ms
64 bytes from 192.168.1.254: icmp_seq=2 ttl=64 time=0.199 ms

--- 192.168.1.254 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.196/0.268/0.410/0.100 ms
$ arp -an
? (192.168.1.1) at 0:8:a2:e:a8:63 on en0 ifscope [ethernet]
? (192.168.1.2) at 0:0:5e:0:1:1 on en0 ifscope [ethernet]
? (192.168.1.3) at 0:0:5e:0:1:2 on en0 ifscope [ethernet]
? (192.168.1.254) at 0:0:5e:0:1:3 on en0 ifscope [ethernet]
? (192.168.1.255) at ff:ff:ff:ff:ff:ff on en0 ifscope [ethernet]

CARP issues like you are describing are almost always something funky at layer 2. You probably want to describe how you have it all connected.

Frankye

The Interfaces -> Switches part is not synced via CARP IIRC, could it be possible you have made a configuration error on one of the two members?

stephenw10

Curious. Since they correctly show as Master/Backup when joined you must have layer 2 connectivity between them at least. I would certainly expect to be able to ping the VIP from the secondary unless you have firewall rules specifically blocking it, or not passing it.
If you rules on LAN allow pinging the LAN address rather than LAN net that would do it.

Steve

Derelict

@stephenw10 said in Netgate XG-7100 & Virual IP:

Curious. Since they correctly show as Master/Backup when joined you must have layer 2 connectivity between them at least. I would certainly expect to be able to ping the VIP from the secondary unless you have firewall rules specifically blocking it, or not passing it.
If you rules on LAN allow pinging the LAN address rather than LAN net that would do it.

Steve

Except:

PPCM a day ago

I notice that sometimes, when I ping 192.168.3.250, a packet can pass

stephenw10

Maybe an open icmp state from an outbound test when that happens?

Derelict

Maybe - generally starting a new ping doesn't match dangling states.

stephenw10

True, it would have a different ID if pinging from pfSense..

PPCM

Thanks a lot for all your help

It is a fresh install, no rule is added

About the connection, both XG-7100 are connected on a freshly reseted switch (DELL N1524P) on the LAN network of routers (Eth4 on each of them)

Nothing special, that's why I can't understand...

Derelict

Connect LAN-to-LAN on the 7100s (Like ETH3 - ETH3)

Connect a workstation to another LAN port on either of the firewalls (ETH4 to ETH8).

Does your problem go away?

If so, it's the Dell switch.