4. CARP secondary unable to reach gateway

CARP secondary unable to reach gateway

  • J

    Hi everyone,

    I have what appears to be an IPv6 issue.

    Background:

    Two identical pfsense boxes running in a HA pair.

    One can ping the WAN DG, the other can not.  Both can be accessed via the WAN, just that one can't access out the WAN.

    The only differences I can find between the two is the results of an ifconfig:

    Working unit:

    
em5: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
	options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 00:30:48:8d:d6:5f
	inet xx.yy.zz.213 netmask 0xfffffff0 broadcast xx.yy.zz.223
	inet6 fe80::230:48ff:fe8d:d65f%em5 prefixlen 64 scopeid 0x6 
	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active</full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,promisc,simplex,multicast>

    Broken unit:

    
em5: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
	options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 00:30:48:8d:d4:f7
	inet6 fe80::230:48ff:fe8d:d4f7%em5 prefixlen 64 scopeid 0x6 
	inet xx.yy.zz.214 netmask 0xfffffff0 broadcast xx.yy.zz.223
	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active</full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,promisc,simplex,multicast>

    The broken one lists the ipv6 IP first and I am wondering if that is causing the issue.  Not sure how to over-ride that?  IPv6 support is disabled in the advanced options.

    Any suggestions?

    0
  • Rebel Alliance Developer Netgate

    That wouldn't have anything to do with it. Especially if you have IPv6 disabled.

    0
  • J

    @jimp:

    That wouldn't have anything to do with it. Especially if you have IPv6 disabled.

    Ok, I am running on hunches here as it's the ONLY thing different except the ip's (obviously).  The problematic unit can't access the packages repository either, it's any firewall initiated traffic to the WAN doesnt make it but from WAN->FW is fine.

    Thanks.

    0
  • Rebel Alliance Developer Netgate

    If it can't reach it's gateway then it can't get out beyond. Usual things to look for there are to make sure that there are no conflicting IPs, that the switch connecting all three devices (ISP router, carp master, carp slave) is working properly, make sure the subnet mask matches properly (is it really a /28? what's the ISP router set to?), and so on.

    Things like that usually boil down to a conflict of some kind, or a layer 1/2 issue.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy