Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rules weirdness when source and destination are self with CARP.

    Scheduled Pinned Locked Moved
    HA/CARP/VIPs
    2
    4
    4.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Numbski
      last edited by

      I'm getting some very odd behavior out of pfSense.  I have 6 interfaces on a box (one on-board, a quad card, and a gigabit card), I have advanced outbound NAT disabled, and then the default NAT rule removed so we have a strictly routing platform.

      When I attempt to ping any of the carp IP's, it shows the source IP as my carp IP, the destination as the carp IP, and blocked by the default rule, and references the CARP interface, thus blocking any traffic.  I had a similar problem a few days ago.  Blowing away the install and starting over was the only way to fix it.  I'm also getting "incorrect hash" errors for CARP1, and I have deleted and recreated the interface many times, by stopping carp on the slave box, deleting the interface, going to the master box, stopping carp, deleting the interface, re-create the interface, start carp, force a sync.  The interface re-appears on the slave, but still scrolls "incorrect hash" in the logs.

      I'm trying not to have to blow away my install again as it took a long time to get this far. :(

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        Incorrect hash errors means that your password + ip + vhids do not match.

        BTW:  You have to be on the top 10 of question people.  When do you plan on answering more questions in return?

        1 Reply Last reply Reply Quote 0
        • N
          Numbski
          last edited by

          As soon as I have answers to give!  ;D

          Which in this case, I do have an answer.

          It would appear at least that carp is a kind of broadcast, rather than directed at one particular host.  If you have multiple carp clusters on the same network segment, they CANNOT have the same vhid's.  This was the core of several of the questions I've posted.  When I realized that vhid's must be unique on a per-network-segment basis, several of my issues resolved themselves all at once.

          So I apologize for my question flooding, but my attitude on it was to make you guys aware that the issues were there rather than to silently toil, that way when I solution presented itself the next time someone came around with the same problem a search would fix them up.

          Unfortunately, many of my probs are imaginary due to my misunderstanding of the nature of carp.  The interface upon which the carp IP resides must have a VHID that is unique not just on it's own carp cluster, but on ANY carp cluster on that same network segment.

          I get it now.  Sorry about that.  I suppose documented this in the wiki would be helpful to others. :\

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            @Numbski:

            I get it now.  Sorry about that.  I suppose documented this in the wiki would be helpful to others. :\

            Yes, please do.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post