Two NICs with CARP on the same switch/VLAN



  • Hi,
      as from subject, I have two external NICs using CARP on the same VLAN of the same switch. I see tons of events in the firewall log like:
    pf: <interface 1="" ip="" address="">> 224.0.0.18: VRRPv2, Advertisement, vrid 51, prio 0, authtype none, intvl 1s, length 36, addrs(7): 218.27.165.112,242.227.32.52,47.6.174.168,182.46.192.221,15.164.81.199,168.233.200.56,181.34.91.218

    and

    pf: <interface 2="" ip="" address="">> 224.0.0.18: VRRPv2, Advertisement, vrid 5, prio 0, authtype none, intvl 1s, length 36, addrs(7): 168.170.130.165,80.87.205.164,18.152.165.120,88.117.127.21,55.224.209.71,178.176.199.168,142.231.136.115

    in other posts I have read that this events are generated in case of a layer 2 loop, but I am sure I don't have a layer2 loop, so I think that this tons of events are generated because the two interfaces are on the same VLAN/switch.

    Do you agree? The only way to solve this problem is to use two different VLAN or switches for the two interfaces using CARP?

    Thanks a lot,
    Michele</interface></interface>



  • Maybe I found what is the cause of this problem…
    If I see the "dynamic view" of the firewall log, I see that the logs are generated by the rule:

    
    block in log quick proto carp from (self) to any 
    
    

    Here is when this change has been done: http://redmine.pfsense.org/issues/598

    What I don't understand is:

    1. Is it strictly necessary to log this events?
    2. Is there something wrong in keeping two NICs with CARP running in the same network segment?
    3. Will I resolve this issue if I create a separate VLAN for the two interfaces running CARP on the same segment?

    Thanks,
    Michele



  • CARP works on broadcasts, so if both interfaces are in the same broadcast domain then CARP would probably not work right (or at least not as you expected). If not for the rule you're referencing, you might be seeing the backup and master constantly fighting about who is the master. The rule was added originally because of a VMware bug that often caused such loops.

    Why are you using two NICs as two different interfaces in pfSense that are both in the same VLAN?



  • Hi,
        thank you for your answer.

    Yes, I understand… but in this case both NICs adverstise different vrids, so there should not be any overlap of CARP status or messages...

    @Briantist:

    Why are you using two NICs as two different interfaces in pfSense that are both in the same VLAN?

    This is a "present" from a very old network situation, something that is there since years… if there is no other way I will separate the network segment in two segment (a second switch or a separate VLAN). What I wonder about is that until now there is no documentation about this issue (I was searching a lot before posting). Maybe it should be written somewhere to NOT to put two NICs using CARP in the same switch (or VLAN)...

    Thanks,
    Michele



  • I see; your situation is very unusual, so it's somewhat expected that nothing would have written about it. Most people who have different subnets would put them on separate VLANs or physical networks as a matter of course. You should probably separate them just because it's a better situation to be in anyway, but I'm a little unclear as to whether CARP is not working correctly for you or if you want to just get rid of the messages in the logs.

    If it's working correctly, you don't have to change anything I guess. It might be possible to add a firewall rule that allows the VRRP traffic and then doesn't log, but when I tried that myself it didn't work, so I guess that auto-created rule is put above the others?



  • @Briantist:

    I see; your situation is very unusual, so it's somewhat expected that nothing would have written about it. …

    I understand… I will separate the two networks. Just it's good to know about that...

    @Briantist:

    If it's working correctly, you don't have to change anything I guess. It might be possible to add a firewall rule that allows the VRRP traffic and then doesn't log, but when I tried that myself it didn't work, so I guess that auto-created rule is put above the others?

    this rule in rules.debug is written above the "user rules", so no one of the rules we can write can do anything. Thanks for trying!

    So, I got the solution, this w-e when all is calm I will separate the two VLANs!

    Thanks a lot!!
    Michele



  • After having separated the two network segments, I have no more VRRPv2 logs in my firewall.

    All is solved.

    Thanks to Briantist for clarifying me!

    Michele



  • Hello,
        maybe I found the problem. There was a misconfiguration between the VIP netmask and the "parent interface" netmask?

    On my WAN interface I have /25 as netmask, while two VIPs netmask were /32 (consider I have about 80 CARP VIPs).

    Is it possible that this misconfiguration brings to an unconsinstent state of the CARP? (half ip master on a box, the other half master on the backup box).

    Thanks,
    Michele



  • Hello,
    anyone that can pls confirm this? Now it's 3 days, 6h that the two firewalls are working and everything is going great!

    The problem was:
    WAN Interface: x.x.x.x/24
    2 CARP VIPs (on 83) were: x.x.x.x/32

    The question is: Can this misconfiguration bring to an inconsistent CARP status (half of VIPs Master on one firewall, the other half Master on the other firewall)?

    Thanks a lot,
    Michele


Locked