Resolving DNS names on CARP Backup

jimp

Sounds like maybe the routing isn't quite right or your IP settings for the slave aren't quite right.

Are you actually using three separate fully routable IPs on the WAN for those systems? One IP for master, one IP for slave, and another IP for CARP?

terranean

Hi Jim,

thanks forn your answer. As far as I can see, the WAN adressing is correct. All three adresses are in the /28 our provider has assigned to us. I have also checked the settings of the gateway again, they're identical on master and slave. Like I wrote, I can even ping the DNS servers from the backup.

jimp

Next step would be to do a packet capture of the DNS request as it leaves WAN on the backup, see what is really leaving.

terranean

Using tcpdump -i vr1 host 195.186.1.162 (WAN interface and my provider's NS) and doing a nslookup www.pfsense.org (109.164.244.X being the WAN interface IP):

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vr1, link-type EN10MB (Ethernet), capture size 96 bytes
10:06:19.324135 IP 109.164.244.X.53386 > 195.186.1.162.domain: 61531+ A? www.pfsense.org. (33)
10:06:19.832359 IP 109.164.244.X.45296 > 195.186.1.162.domain: 13967+ PTR? 162.1.186.195.in-addr.arpa. (44)
10:06:25.320350 IP 109.164.244.X.53386 > 195.186.1.162.domain: 61531+ A? www.pfsense.org. (33)
10:06:26.850236 IP 109.164.244.X.45296 > 195.186.1.162.domain: 13967+ PTR? 162.1.186.195.in-addr.arpa. (44)
10:06:31.340410 IP 109.164.244.X.53386 > 195.186.1.162.domain: 61531+ A? www.pfsense.org. (33)
10:06:41.871859 IP 109.164.244.X.36855 > 195.186.1.162.domain: 13968+ PTR? X.244.164.109.in-addr.arpa. (46)
10:06:48.890407 IP 109.164.244.X.36855 > 195.186.1.162.domain: 13968+ PTR? X.244.164.109.in-addr.arpa. (46)

This looks ok to be, except I don't get a reply from the NS.

jimp

So it's leaving but never coming back - that suggests that nothing is wrong with the box itself, but rather the router ahead of it or the switch (or something else on layer 2) holding it back.

You might repeat that same test but pass -e to tcpdump as well to check the MAC addresses, and compare it to the same test on the master.

Are you spoofing a MAC there? Perhaps the same mac on both master and slave? (that wouldn't work)

terranean

That's what I suspected as well, especially since I've had "interesting" effects with the VDSL modem before (no Switch in between, master and backup are directly connected to the VDSL modem). However I haven't seen any option in the modem that could be involved here.

I repeated the test with the -e switch, WAN on master and backup have different MAC addresses.

Also, no ARP spoofing involved. I'll try playing with the VDSL modem some more.

jimp

Try putting a small switch between the firewalls and the modem. I have seen others encounter problems with CARP on the switches built-into CPE/modems of various kinds.

terranean

Jim, first class support! After putting a switch in between and rebooting the modem, everything works.

Thank you very much!

jimp

Good to hear that worked. I suppose I should add that to the CARP troubleshooting doc on the wiki.

terranean

Guess I celebrated too fast. It worked yesterday, but after coming back to work today it doesn't work anymore. Will do some more testing later on.

EDIT: I updated both machines to 2.0RC3. After the subsequent reboot it's working again, even after coming back to work the next morning. Let's see how it goes.