Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfBlocker 3.0.0_16 / pfSense 2.5.1 / HA / CARP / LAN NIC loses IP and reverts to 0.0.0.1/8!

    Scheduled Pinned Locked Moved pfBlockerNG
    3 Posts 2 Posters 556 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      Luke_71
      last edited by

      Hi all,
      I have been trying to figure out why the above happens (I also posted a thread in the CARP section thinking it was a CARP problem with 2.5.1 but the issue is directly related to the pfBlocker CARP VIP interface only).

      To sum it up briefly, I have several HA / CARP / pfBlocker installations running fine on 2.5.0. I upgraded first my office HA setup and immediately after the upgrade to 2.5.1 I noticed DNS requests failing. After investigation and several tests I realized that unbound was no longer listening to the CARP VIP LAN address and that the second pfSense lost it's main LAN IP (!) reverting to 0.0.0.1/8 as show in here:
      CARP_Fail.jpg
      For whatever unknown reason the "real" LAN IP of em0 is being assigned a VHID and it's IP is being removed. This is probably a script error at this point as all the other CARP VIPs work fine when entering maintenance end exiting, even the 192.168.0.254 CARP VIP on this same interface remains.

      Is there any way to investigate possibly the scripts or actions done by pfBlocker when failing over? Apparently it does not fail immediately after failover but after 2-3 seconds indicating there could be a script or cronology issue.

      Any insight is appreciated!

      1 Reply Last reply Reply Quote 0
      • L
        Luke_71
        last edited by

        I finally found what was causing the backup interface IPs to fail: the pfBlocker XMLRPC SYNCs the SKEW value of 0 instead of ignoring it and maintaining 100 as should be set on the SECOND node. Even if you set the SKEW to 100 on the second node, once a RELOAD and SYNC update completes this is overwritten to 0. Hence the CARP VIP craps out as soon as it becomes 0 (during the update) creating all kinds of havoc.

        I know this value was specifically NOT synched as stated by the same BBcan in the Changelog to 3.0.0.x (-> * XMLRPC Sync Tab - Remove the CARP HA Skew from being sync'd) but somehow it is in this version.

        I hope this will be fixed to avoid unwanted CARP VIPs crashing (and main associated IPs!).

        S 1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire @Luke_71
          last edited by

          Our data center is still on 2.4.5 so thanks for the heads up on this issue.

          I changed the update frequency on one of the feeds (2 hours to 4 hours), ran an Update, and that one change didn't get synced to the backup node.

          For posterity, here is Viktor's redmine entry for your bug from the HA forum.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.