Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upgrade to 2.5.0, now seeing 224.0.0.18 CARP blocks

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    6 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      defunct78
      last edited by

      Had a completely functioning HA pair installed, went to upgrade from 2.4.5p1 to 2.5.0 and now seeing blocked packets in the logs.

      First off, CARP failover seems to be behaving correctly. Though this problem may be related to another problem I posted.
      https://forum.netgate.com/topic/162722/frr-doesn-t-follow-carp-after-2-5-0-upgrade

      What I am seeing in the logs

      filterlog[]: 52,,,1000000201,interfacename,match,block,in,4,0xe0,,255,0,0,DF,112,carp,56,x.x.x.1,224.0.0.18,advertise,255,4,2,0,1
      filterlog[]: 52,,,1000000201,interfacename,match,block,in,4,0xe0,,255,0,0,DF,112,carp,56,x.x.y.1,224.0.0.18,advertise,255,5,2,0,1
      filterlog[]: 52,,,1000000201,interfacename,match,block,in,4,0xe0,,255,0,0,DF,112,carp,56,x.x.z.1,224.0.0.18,advertise,255,1,2,0,1
      

      For each interface a CARP is applied too, I get one of these errors. The source IP's are the self IP of the firewall itself. And I only see these blocks on the who ever is currently active.

      I did check the /tmp/rules.debug and found this, which looks to have been in previous versions for a while.

      # CARP rules
      block in log quick proto carp from (self) to any tracker 1000000201
      pass  quick proto carp tracker 1000000202 no state
      

      Any thoughts, or things I can look at? I did try adding and accept rule early but due to the id of this block I can't get one early enough to accept these packets. Makes me thing something didn't go right during the upgrade.

      SG-1100 24.03 (ZFS)

      1 Reply Last reply Reply Quote 0
      • D
        defunct78
        last edited by

        To add to this, deleting a CARP and recreating under a new VHID, had no impact to the problem. Problem is still happening.

        SG-1100 24.03 (ZFS)

        DerelictD 1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate @defunct78
          last edited by

          @defunct78 VMware?

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          D 1 Reply Last reply Reply Quote 0
          • D
            defunct78 @Derelict
            last edited by

            @derelict said in Upgrade to 2.5.0, now seeing 224.0.0.18 CARP blocks:

            @defunct78 VMware?

            Matter a fact, yes. Though I didn't think that was going to be a problem as 2.4.5p1 didn't have this issue. Though I am open to any suggestions.

            SG-1100 24.03 (ZFS)

            DerelictD 1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate @defunct78
              last edited by Derelict

              @defunct78 It is your virtual environment improperly echoing back the CARP advertisements. They are being properly blocked by that rule.

              https://kb.vmware.com/s/article/59235

              https://docs.netgate.com/pfsense/en/latest/troubleshooting/high-availability-virtual.html#changing-net-reversepathfwdcheckpromisc

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              D 1 Reply Last reply Reply Quote 0
              • D
                defunct78 @Derelict
                last edited by

                @derelict said in Upgrade to 2.5.0, now seeing 224.0.0.18 CARP blocks:

                @defunct78 It is your virtual environment improperly echoing back the CARP advertisements. They are being properly blocked by that rule.

                https://kb.vmware.com/s/article/59235

                https://docs.netgate.com/pfsense/en/latest/troubleshooting/high-availability-virtual.html#changing-net-reversepathfwdcheckpromisc

                That was it. Fixed the problem perfectly. Thanks.

                SG-1100 24.03 (ZFS)

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.