Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Upgrade to 2.5.0, now seeing 224.0.0.18 CARP blocks

    HA/CARP/VIPs
    2
    6
    51
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      defunct78 last edited by

      Had a completely functioning HA pair installed, went to upgrade from 2.4.5p1 to 2.5.0 and now seeing blocked packets in the logs.

      First off, CARP failover seems to be behaving correctly. Though this problem may be related to another problem I posted.
      https://forum.netgate.com/topic/162722/frr-doesn-t-follow-carp-after-2-5-0-upgrade

      What I am seeing in the logs

      filterlog[]: 52,,,1000000201,interfacename,match,block,in,4,0xe0,,255,0,0,DF,112,carp,56,x.x.x.1,224.0.0.18,advertise,255,4,2,0,1
filterlog[]: 52,,,1000000201,interfacename,match,block,in,4,0xe0,,255,0,0,DF,112,carp,56,x.x.y.1,224.0.0.18,advertise,255,5,2,0,1
filterlog[]: 52,,,1000000201,interfacename,match,block,in,4,0xe0,,255,0,0,DF,112,carp,56,x.x.z.1,224.0.0.18,advertise,255,1,2,0,1

      For each interface a CARP is applied too, I get one of these errors. The source IP's are the self IP of the firewall itself. And I only see these blocks on the who ever is currently active.

      I did check the /tmp/rules.debug and found this, which looks to have been in previous versions for a while.

      # CARP rules
block in log quick proto carp from (self) to any tracker 1000000201
pass  quick proto carp tracker 1000000202 no state

      Any thoughts, or things I can look at? I did try adding and accept rule early but due to the id of this block I can't get one early enough to accept these packets. Makes me thing something didn't go right during the upgrade.

      1 Reply Last reply Reply Quote 0
      • D
        defunct78 last edited by

        To add to this, deleting a CARP and recreating under a new VHID, had no impact to the problem. Problem is still happening.

        Derelict 1 Reply Last reply Reply Quote 0
        • Derelict
          Derelict LAYER 8 Netgate @defunct78 last edited by

          @defunct78 VMware?

          D 1 Reply Last reply Reply Quote 0
          • D
            defunct78 @Derelict last edited by

            @derelict said in Upgrade to 2.5.0, now seeing 224.0.0.18 CARP blocks:

            @defunct78 VMware?

            Matter a fact, yes. Though I didn't think that was going to be a problem as 2.4.5p1 didn't have this issue. Though I am open to any suggestions.

            Derelict 1 Reply Last reply Reply Quote 0
            • Derelict
              Derelict LAYER 8 Netgate @defunct78 last edited by Derelict

              @defunct78 It is your virtual environment improperly echoing back the CARP advertisements. They are being properly blocked by that rule.

              https://kb.vmware.com/s/article/59235

              https://docs.netgate.com/pfsense/en/latest/troubleshooting/high-availability-virtual.html#changing-net-reversepathfwdcheckpromisc

              D 1 Reply Last reply Reply Quote 0
              • D
                defunct78 @Derelict last edited by

                @derelict said in Upgrade to 2.5.0, now seeing 224.0.0.18 CARP blocks:

                @defunct78 It is your virtual environment improperly echoing back the CARP advertisements. They are being properly blocked by that rule.

                https://kb.vmware.com/s/article/59235

                https://docs.netgate.com/pfsense/en/latest/troubleshooting/high-availability-virtual.html#changing-net-reversepathfwdcheckpromisc

                That was it. Fixed the problem perfectly. Thanks.

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post

                Products

                • Platform Overview
                • TNSR
                • pfSense
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy