Issue with CARP in DNSBL
I am using two pfSense XG-7100 Firewalls in a cluster configuration and wanted to enable CARP functionality in the DNSBL settings of pfBlockerNG.
I have tried to move the WebGUI to a different port (HTTPS) but that didn't help and the logs don't show anything unfortunately.
Is there a manual I can follow? I am unsure whether or not I need to set up a new interface for the DNSBL CARP functionality?
Thanks much, attached a few images, let me know if you need more information.
@kkit said in Issue with CARP in DNSBL:
wanted to enable CARP functionality in the DNSBL settings of pfBlockerNG.
What do you mean?
You have a CARP setup already, I assume. DNSBL has nothing to do with CARP. So what do you intend to do now?
So what is your issue?
If the DNSBL settings you can state a VIP type for its IP. But both should work, even on a CARP setup.
Thanks for your reply,
I have seen this feature (see attached image) that implies that setting it to "CARP" is for clustered routers, which is the case with my setup.
I basically just wanted to ask for documentation. Do you suggest it should be left on IP Alias?
This IP is used to direct unwanted destination traffic to it. So it's not indispensable at all.
If you take an IP alias it is assigned to an interface. When clients traffic is directed to it in case of a failover, clients which have already an ARP entry for it will fail to access the IP till the ARP is renewed.
When using a CARP VIP the MAC stays the same after a failover and clients can access it without interrupts.
So yes, you can select CARP VIP here.
I understand the basic functionality and that's what I tried to do.
But as mentioned in my main post, after switching to CARP, the DNSBL Service goes down and I can't get it to work. I already followed other posts which suggested a collision with the pfSense GUI port, since DNSBL Web Service is listening http and https.
I don't know what else I can do.
Did you state a unique VHID and a password?
Something in the system log?
Will check in the evening when I'm back and let you know. Thanks much
I made sure the pfSense GUIs port is different from the one DNSBL Web Server listens to
I gave the CARP VIP a unique VHID
I checked the system log but nothing major, the last one was "pfblockerng: saving dnsbl changes". No errors and XMLRPC does successfully synchronize everything
Can anyone help?
set the DNSBL Web Server Interface to LAN
@juliokele Thanks for the suggestion. I have several VLANs, will DNSBL still function for all of them?
yes, it should work...
It would work with the above described gap in case of a failover.
Changing it to LAN did not help, either :(
Attached a few images. I just can not seem to find the log files, please see attached images.
Changed Web GUI https port of pfSense to 500
Set pfBlockerNG DNSBL to CARP with unique settings
Made sure subnet is not in use
still no success...