[SOLVED] 2.0-RC2 Both master on only one interface
-
Hi,
I set up 2 pfsense 2.0-RC2 (i386) with 4 interfaces :- one for LAN (with CARP)
- one for WAN (with CARP)
- one for DMZ (with CARP)
- and one for SYNC
My SYNC is done over a cross cable.
All works good but the second pfsense (backup one) become master on the WAN interface after few minutes running, so I have 2 masters on WAN interface…
Anybody has knowledge about this ? Sorry for my bad english.
Thanks.
-
show your carp configurations.
-
Thanks, here are screens of configuration on my master node :
-
CARP configuration
http://imageshack.us/photo/my-images/685/carps.png/ -
LAN VIP configuration
http://imageshack.us/photo/my-images/89/lanq.png/ -
DMZ VIP configuration
http://imageshack.us/photo/my-images/824/dmza.jpg/ -
WAN VIP configuration
http://imageshack.us/photo/my-images/714/wano.png/
-
-
That is typically a layer 2 issue (meaning your switch). If both are master, that means that they can't see each other on that interface.
-
Both can ping the other on the interface. How can I see if VRRP is running correctly ? tcpdump ? Something else ?
-
tcpdump can help there. What kind of switch is on WAN? If it's just your ISP's CPE/modem, try a real switch and see if the behavior improves.
-
Tcpdump give this :
08:51:11.085061 IP xxx.xxx.xxx.xxx > 224.0.0.18: VRRPv2, Advertisement, vrid 3, prio 0, authtype none, intvl 1s, length 36
on the master node. xxx.xxx.xxx.xxx is my wan external ip address (SNAT).The VRRP advertisement seem to be done with the WAN natted address (Virtual IP) but not with the WAN interface real IP (real IP are 10.255.255.251 for FW1 and 10.255.255.252 for FW2).
My switch is a real one : HP Procurve 2626.
Many thanks for your help.
-
Tcpdump give this :
08:51:11.085061 IP xxx.xxx.xxx.xxx > 224.0.0.18: VRRPv2, Advertisement, vrid 3, prio 0, authtype none, intvl 1s, length 36
on the master node. xxx.xxx.xxx.xxx is my wan external ip address (SNAT).The VRRP advertisement seem to be done with the WAN natted address (Virtual IP) but not with the WAN interface real IP (real IP are 10.255.255.251 for FW1 and 10.255.255.252 for FW2).
That indicates you misconfigured your outbound NAT and are NATing all traffic including that initiated by the firewall, which breaks CARP. Don't use source "any" on your outbound NAT.
-
Thanks cmb, you solved the problem.
