VHID already in use



  • With regards to this post, http://forum.pfsense.org/index.php?topic=31279.0 . jimp mentions that is should be possible to use the same VHID (even if it is in use), if the broadcast domain is different.

    I tested this on a device with WAN and LAN interfaces, in entirely different subnets - but when trying to set both CARP VIPs to have a VHID of 1 - I get an error

    VHID # is already in use. Pick a unique number

    This is on a pair of 2.0.1-RELEASE firewalls.

    So it seems its not possible to have the same VHID in use, despite the fact it is on a separate broadcast domain and interface.

    Is this just a GUI bug?



  • I'm not 100% privvy on the rules in BSD, but from what I can gather, you can have the same VHID on different broadcast domains as per http://lists.freebsd.org/pipermail/freebsd-net/2011-June/029125.html

    Which would imply what I am seeing is a GUI bug.

    In which case, would this be a suitable fix:

    +144 /usr/local/www/firewall_virtual_ip_edit.php
    From

    
    if($vip['vhid'] == $_POST['vhid'] and $idtracker <> $id)
    
    

    To

    
    if($vip['vhid'] == $_POST['vhid'] and $idtracker <> $id and $vip['interface'] == $_POST['interface'])
    
    

    From what I see in ifconfig - it would also be necessary to use a different naming convention for vips - as at present it appears to be "vip".$_POST['vhid'] - whereas it should be something like "vip".$POST['vhid']."".$_POST['interface']



  • Okay, I just grabbed the latest copy from https://github.com/bsdperimeter/pfsense and I see that you've already made changes to this effect.

    In my release etc/inc/interfaces.inc contains

    
    $vipif = "vip{$vip['vhid']}";
    
    

    Whereas the newer release contains

    
    $vipif = "{$vip['interface']}_vip{$vip['vhid']}";
    
    

    I assume it would be possible to just adjust the code to suit these new values to permit such functionality?



  • An observation I've made is your newer code in GitHub still wouldn't support a situation whereby you have 2 different CARP IPs on 2 different subnets on a single interface.

    Eg. a private facing network with CARP gw and internal network with CARP gw

    The VIP interface name should be

    vip_interfacenetwork addressvhid



  • So in my current release, I think this would be a suitable (hack) for compatibility with the other parts of the system

    /usr/local/www/firewall_virtual_ip_edit.php

    
    ...
    		/* verify against reusage of vhids */
    		$vhid_increment = 0;
    		foreach($config['virtualip']['vip'] as $alt_vip)
    			$vhid_increment = ($alt_vip['subnet'] != $_POST['subnet'] && $alt_vip['interface'] == $_POST['interface'] && $alt_vip['vhid'] == $_POST['vhid']) ? $vhid_increment+1 : $vhid_increment;
    		$_POST['vhid'] = str_pad($_POST['vhid'], 3, "0", STR_PAD_LEFT).'_'.$_POST['interface'].'_'.$vhid_increment;
    		$idtracker = 0;
    ...
    
    <option value="<?=$i;?>" <?php="" if="" ($i="=" substr($pconfig['vhid'],0,3))="" echo="" "selected";="" ?="">></option> 
    

    /etc/inc/interfaces.inc

    
    	$vipif = "vip{$vip['vhid']}";
    	$vip['vhid'] = ltrim(substr($vip['vhid'],0,3),'0');
    
    


  • So I tested the previous code and it works perfectly. Allows the same VHID to be used on the same interface and other interfaces, provided the broadcast domain is different.

    And all other functions look to work just fine with the modification of the VIP/Carp interface name.

    This is just a quick hack until 2.1 becomes stable.


Log in to reply