CARP secondary unable to reach gateway

jwelter99

Hi everyone,

I have what appears to be an IPv6 issue.

Background:

Two identical pfsense boxes running in a HA pair.

One can ping the WAN DG, the other can not.  Both can be accessed via the WAN, just that one can't access out the WAN.

The only differences I can find between the two is the results of an ifconfig:

Working unit:

em5: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
	options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 00:30:48:8d:d6:5f
	inet xx.yy.zz.213 netmask 0xfffffff0 broadcast xx.yy.zz.223
	inet6 fe80::230:48ff:fe8d:d65f%em5 prefixlen 64 scopeid 0x6 
	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active</full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,promisc,simplex,multicast> 

Broken unit:

em5: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
	options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 00:30:48:8d:d4:f7
	inet6 fe80::230:48ff:fe8d:d4f7%em5 prefixlen 64 scopeid 0x6 
	inet xx.yy.zz.214 netmask 0xfffffff0 broadcast xx.yy.zz.223
	nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active</full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,promisc,simplex,multicast> 

The broken one lists the ipv6 IP first and I am wondering if that is causing the issue.  Not sure how to over-ride that?  IPv6 support is disabled in the advanced options.

Any suggestions?

jimp

That wouldn't have anything to do with it. Especially if you have IPv6 disabled.

jwelter99

@jimp:

That wouldn't have anything to do with it. Especially if you have IPv6 disabled.

Ok, I am running on hunches here as it's the ONLY thing different except the ip's (obviously).  The problematic unit can't access the packages repository either, it's any firewall initiated traffic to the WAN doesnt make it but from WAN->FW is fine.

Thanks.

jimp

If it can't reach it's gateway then it can't get out beyond. Usual things to look for there are to make sure that there are no conflicting IPs, that the switch connecting all three devices (ISP router, carp master, carp slave) is working properly, make sure the subnet mask matches properly (is it really a /28? what's the ISP router set to?), and so on.

Things like that usually boil down to a conflict of some kind, or a layer 1/2 issue.