Slave doesn't want to be slave



  • Hello,

    I'm trying to setup CARP by following the book "the definitive guide". Below is our situation (The WAN side uses an address in the 192.168 range because  that's what our ISP gives us on the LAN side of their router). After following (and trying all over for 2 or 3 times) we see the following in the CARP status on box 1:

    
    Carp Interface    Virtual IP       Status
    carp0             192.168.100.3    MASTER 
    carp1             10.1.5.39        MASTER 
    
    

    And the following on box 2:

    
    Carp Interface    Virtual IP       Status
    carp0             192.168.100.3    MASTER 
    carp1             10.1.5.39        BACKUP
    
    

    In the system log on box 1 there's a line "kernel: carp1: incorrect hash". System times are correct and I've tried different VHID groups. I also read that the Virtual IP Password should be checked, but since that is only entered on box 1 and gets synchronized to the slave box, I don't see how that could be wrong… What am I doing wrong here?

    
                                   |WAN
                                   |192.168.100.3
                                   |
           --------------------------------------------------
           |                                                |
           |192.168.100.5                                   |192.168.100.6
           |                                                |
      =============                   172.25.154.2/29 =============
      | PFSENSE 1 |-----------------------------------| PFSENSE 2 |
      ============= 172.25.154.1/29                   =============
           |                                                |
           |10.1.5.37                                       |10.1.5.38
           |                                                |
           --------------------------------------------------
                                   |LAN
                                   |10.1.5.39
                                   |
    
    

  • Rebel Alliance Developer Netgate

    A couple things to try:

    • Make sure they can see each other properly on the WAN side switch
    • Make sure the clocks are in sync
    • Double check the password anyhow just to be sure


  • @jimp:

    A couple things to try:

    • Make sure they can see each other properly on the WAN side switch
    • Make sure the clocks are in sync
    • Double check the password anyhow just to be sure

    I think the first thing is the problem. When I try to ping 192.168.100.6 from box 1 (using the ping tool under Diagnostics), it gives me no replies. I can ping other hosts on that switch (like the router from our ISP for example). Do I have to enter a firewall rule on the wan interface to allow pings or something?



  • I think I found the solution… Since we're not using real public IP addresses on the WAN side, I had to uncheck "Block private networks" on the wan interface.

    However, now I noticed some other strange thing. Since we don't want to allow all clients to use the internet, I disabled the LAN rule "Default LAN -> any". Now the clients cannot ping our virual lan IP address. No problem there. When I enable the rule again, the ping starts showing replies. When I disable the rule again, the ping keeps running without timeouts. When I then clear the arp table on the client, the ping stops.... I'm sure there must be a good reason for this, but I don't get it... can someone explain it to me?


  • Rebel Alliance Developer Netgate

    pfSense, like many other firewalls, is a stateful firewall. Once a connection matches a rule and gets passed, a "state" is created which allows the traffic through the firewall. When you delete a rule, if a connection is active, the state is not forcibly removed. It will time out when the existing connection stops, and no new connections can be made unless they match other rules.

    If you want to cut people off after changing the rules, you'll have to reset the state table under Diagnostics > States.



  • Thanks for the quick reply, it seems to work!



  • Maybe slightly off topic, but related: we want to control which clients can access the internet by listing their ip addresses in the firewall, because that way this list gets synced to the backup box. But we're also thinking of using a proxy server so that we can add antivirus functionallity. Would this be possible? I have doubts, because if clients use the proxy server, then the firewall rules for the client IP's is bypassed… but maybe the experts know of a way to do this? Thanks for the great help!



  • Nobody can answer my question?


  • Rebel Alliance Developer Netgate

    I don't know offhand if the squid package is compatible with CARP, but it might work.



  • I just tested it: the slave doesn't show the changes I make to the squid setup on the master, so I guess it doesn't work.

    Was my assumption right? When the clients use the proxy server, then the firewall rules for the clients ip addresses are ignored?


  • Rebel Alliance Developer Netgate

    Packages do not sync to slaves, so that is expected. You can just manually configure the squid options on the secondary to match.

    What I didn't know is if it worked in transparent mode when using a CARP IP as the gateway. I think it might, but haven't tested it.



  • @jimp:

    Packages do not sync to slaves, so that is expected. You can just manually configure the squid options on the secondary to match.

    But exactly that would be our problem. We want to allow access to the internet based on the clients IP address, so if we use squid, we have to put the list of allowed IPs in the squid config. Without the proxy, we would have to put that list in the firewall rules. So I guess we have to choose between using a proxy server (and duplicate configuration), or no proxy server (and auto synchronisation of the firewall rules)…


Log in to reply