Two problems with carp



  • Hello,

    I have just setup again a dual pfsense setup with dual wan (for load balancing and failover).

    The master (let's call it A) syncs correctly to slave (B), A wan lan and wan2 are master and B wan lan and wan2 are slave.

    We have cisco routers that connect A and B four interfaces (lan,wan,wan2 and dedicated carp).

    I have two problems:

    1. If I detach the cable from A wan2 I expect to see A wan2 becoming slave and B wan2 becoming master. It happens that A lan and wan becomes slave and A wan2 goes to "init" state. All B interfaces (lan,wan,wan2) goes to master state. After this several communication problems with clients and internet start.

    2. I have redirected port X to port 22 to a client of lan. I ssh to it from internet and it works. Then I shutdown A and I see that tcp session goes down, so connection state is not preserved.

    Please tell me what information you need to help me debugging.

    I put rules on firewall to pass carp and to not send carp upd packets to loadbalancer.

    Thanks in advance for any help!

    Mario



  • I have also put high vhid to be sure to not mix carp with cisco vrrp (I have not enabled it anyway…) and I have put B ip on carp configuration to avoid directed multicast.

    Please help me I do not know what I can try next.



  • From states page it seems that all three carp multicast are alive.



  • Can you at least reply to these questions:

    • if one cable is broken it is ok that all master interfaces go to slave mode?
    • it is true that carp maintains inbound tcp connections state?
    • cisco switches interoperate with pfsense or I need to use special configurations?

    Thanks again.



  • I have done a packet capture on WAN interface. Is it normal that I see carp multicast packets of wan AND wan2 AND lan????



  • I have done also a tcpdump on another machine using wireshark. I notice this:

    master ip      224.0.0.18        vrrp  announcement (v2)
    ..
    ..
    ..
    ..

    If I disconnect master cable:

    slave ip        224.0.0.18        vrrp announcement (v2)
    ..
    ..
    ..
    ..

    Is the protocol working right?



  • Ok I have almost solved problem two: it seems that with cisco catalyst 500 default option of igmp snooping enabled it happens that when master becomes available again the multicast packets are sent with some delay causing a problem with stake keeping.

    The problem one is not solved: if I detach wan2 cable in the master pfsense wan and lan goes to backup state and wan2 goes to "init" state (what does it mean?). In the backup pfsense all wan, wan2 and lan go to master state.

    The problem is that I have discovered that I "sometimes" lose a port forward on wan and I also lose the internet traffic on wan2.

    What does "init" state mean?

    Please reply me.

    Mario


Log in to reply