Netgate XG-7100 & Virual IP
-
Hi there,
We made a new install on 2 Netgate XG-7100 for HA
Everything works fine, except one thing: Virual IPWe are not able to ping VIP?
There some docs like:
https://docs.netgate.com/pfsense/en/latest/book/highavailability/high-availability-troubleshooting.html
and
https://docs.netgate.com/pfsense/en/latest/highavailability/troubleshooting-high-availability-clusters.html
But, where the answer?I made a test with Virtualbox, and to make it works, network interfaces must be in promiscuous mode. So in the test, now things work fine.
Now, I have no idea to reproduce the same thing with the XG-7100Any suggestion?
Thanks -
You will want to post exactly what you have done. There is nothing special about the XG-7100 and CARP VIPs other than what is here:
https://docs.netgate.com/pfsense/en/latest/solutions/xg-7100-1u/switch-overview.html#high-availability
-
Thanks for the answer
I made a simple test on the XG-7100
I reset to factory settings both appliances.
On router 1:
LAN IP Address is set: 192.168.3.252/22On router 2:
LAN IP Address is set: 192.168.3.253/22On both appliances, LAN is connected and webConfigurator is available. In addition, I am able to ping, from my network, 192.168.3.252 and 192.168.3.253
Now for VIP, the following configutaion is set on both routers:
Type : CARP
Interface : LAN
Address(es) : 192.168.3.250 / 22
Virtual IP Password : *******
VHID group : 1
Advertising frequency : 1 / 0On Status / CARP (failover) for router 1 : LAN@1 192.168.3.250/22 MASTER
On Status / CARP (failover) for router 2 : LAN@1 192.168.3.250/22 BACKUPFrom my network, I am not able to ping 192.168.3.250
On router 1, I am able to ping 192.168.3.250
On router 2, I am not able to ping 192.168.3.250When I disconnect the network cable from router 1, router 1 is no more available (of course)
On Status / CARP (failover) for router 2 : LAN@1 192.168.3.250/22 MASTERAnd from my network, I am not able to ping 192.168.3.250
On router 2, I am able to ping 192.168.3.250I don't know what to do to make 192.168.3.250 reachable from my network like 192.168.3.252 and 192.168.3.253.
As I said, with the test on Virualbox, I had to set promiscuous mode for network interfaces...Thanks for your help
-
I notice that sometimes, when I ping 192.168.3.250, a packet can pass
-
I cannot test with two XG-7100s because I only have immediate access to one.
That said I have no problems with CARP VIPs on LAN:
$ ping -c3 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.184 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.289 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.307 ms--- 192.168.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.184/0.260/0.307/0.054 ms
$ ping -c3 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: icmp_seq=0 ttl=64 time=0.407 ms
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.269 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=0.329 ms--- 192.168.1.2 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.269/0.335/0.407/0.056 ms
$ ping -c3 192.168.1.3
PING 192.168.1.3 (192.168.1.3): 56 data bytes
64 bytes from 192.168.1.3: icmp_seq=0 ttl=64 time=0.395 ms
64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=0.359 ms
64 bytes from 192.168.1.3: icmp_seq=2 ttl=64 time=0.364 ms--- 192.168.1.3 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.359/0.373/0.395/0.016 ms
$ ping -c3 192.168.1.254
PING 192.168.1.254 (192.168.1.254): 56 data bytes
64 bytes from 192.168.1.254: icmp_seq=0 ttl=64 time=0.410 ms
64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=0.196 ms
64 bytes from 192.168.1.254: icmp_seq=2 ttl=64 time=0.199 ms--- 192.168.1.254 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.196/0.268/0.410/0.100 ms
$ arp -an
? (192.168.1.1) at 0:8:a2:e:a8:63 on en0 ifscope [ethernet]
? (192.168.1.2) at 0:0:5e:0:1:1 on en0 ifscope [ethernet]
? (192.168.1.3) at 0:0:5e:0:1:2 on en0 ifscope [ethernet]
? (192.168.1.254) at 0:0:5e:0:1:3 on en0 ifscope [ethernet]
? (192.168.1.255) at ff:ff:ff:ff:ff:ff on en0 ifscope [ethernet]CARP issues like you are describing are almost always something funky at layer 2. You probably want to describe how you have it all connected.
-
The Interfaces -> Switches part is not synced via CARP IIRC, could it be possible you have made a configuration error on one of the two members?
-
Curious. Since they correctly show as Master/Backup when joined you must have layer 2 connectivity between them at least. I would certainly expect to be able to ping the VIP from the secondary unless you have firewall rules specifically blocking it, or not passing it.
If you rules on LAN allow pinging the LAN address rather than LAN net that would do it.Steve
-
@stephenw10 said in Netgate XG-7100 & Virual IP:
Curious. Since they correctly show as Master/Backup when joined you must have layer 2 connectivity between them at least. I would certainly expect to be able to ping the VIP from the secondary unless you have firewall rules specifically blocking it, or not passing it.
If you rules on LAN allow pinging the LAN address rather than LAN net that would do it.Steve
Except:
PPCM a day ago
I notice that sometimes, when I ping 192.168.3.250, a packet can pass
-
Maybe an open icmp state from an outbound test when that happens?
-
Maybe - generally starting a new ping doesn't match dangling states.
-
True, it would have a different ID if pinging from pfSense..
-
Thanks a lot for all your help
It is a fresh install, no rule is added
About the connection, both XG-7100 are connected on a freshly reseted switch (DELL N1524P) on the LAN network of routers (Eth4 on each of them)
Nothing special, that's why I can't understand...
-
Connect LAN-to-LAN on the 7100s (Like ETH3 - ETH3)
Connect a workstation to another LAN port on either of the firewalls (ETH4 to ETH8).
Does your problem go away?
If so, it's the Dell switch.
