61st ip.



  • I not encounter the following problem in 2.0.3 and earlier.

    From 2.0.3 in the next version
    CARP or IFALIAS when I add the WAN ip address 61st, relevant WAN gateway is going down.

    1st when I add CARP IP, gateway up.
    2nd when I add CARP IP, gateway up.
    .
    .
    .
    60th when I add CARP IP, gateway up.
    When I add 61st CARP IP, gateway down.
    or 62, 63, 64 + ..

    When I delete up to 60 again, going up to the gateway.

    it with the same hardware and same IP groups 2.1.1 and 2.1.2 versions I've tried.

    Does experiencing this issue?

    (sorry for my poor english)


  • Banned

    I sincerely doubt anyone will go thru the huge trouble of adding 60+ VIPs just in order to test a completely whacky setup. You'd be a whole lot better off obtaining a paid support for similar extremely borderline use cases.

    https://www.pfsense.org/get-support/index.html#commercial-support



  • I mentioned the problem may be caused by something I've overlooked.
    I need advice on this forum.
    Did I do wrong?

    pfsense, long years, I served as a consultant in many businesses use it.

    With everything getting pfsense example,
    I follow and I care.
    pfsense would recommend this to everyone around me.

    I thought.
    You may be right,
    but my goal is to awaken a doubt, absolutely not.

    never thought I'd misunderstood.
    If I'm to understand if such a reason, I'm so sorry.


  • Banned

    @ugur:

    I mentioned the problem may be caused by something I've overlooked.
    I need advice on this forum.
    Did I do wrong?

    I am merely saying I simply do NOT see the crowd of people having a box with 60+ VIPs available, or having experience with anything like that. So, asking whether someone does experience similar issue here does not make much sense.



  • Can you give a little more information?  We are testing a couple of Dell 1950's to replace our aging ASA 5520 in the datacenter and I am planning on testing the CARP setup tomorrow.  We have 58 IP's we are going to be implementing on our system with the likelihood of using more in the very near future, so this topic is of interest to me.

    Can you give the last octect of the IP range you are using as well as the subnet mask and what IP's (last octect) you are assigning to the external interface?

    For instance, something like the following:

    X.X.X.2 - X.X.X.61
    MASK - /24 or whatever it is
    Include your gateway address.

    This way I can test as close to your setup as what you have.  The first part of the address shouldn't matter, it is the range that matters - of course that applies assuming all the addresses are on the same subnet.

    Let me know and I will get back to this thread after testing tomorrow evening.



  • ok.

    test ip group c class.

    x.y.z.0/24

    gateway: x.y.z.1/24 monitor ip: 8.8.8.8

    nic: x.y.z.2/24, gateway up

    1carp(or ifalias): x.y.z.3/24, gateway up
    .
    .
    57carp(or ifalias): x.y.z.59/24, gateway up
    58carp(or ifalias): x.y.z.60/24, gateway up
    59carp(or ifalias): x.y.z.61/24, gateway up
    60carp(or ifalias): x.y.z.62/24, gateway up
    61carp(or ifalias): x.y.z.63/24, gateway down
    after add 63, 64, 65+ gateway down.

    bakward deleting:

    61carp(or ifalias): x.y.z.63/24, gateway down
    60carp(or ifalias): x.y.z.62/24, gateway up
    59carp(or ifalias): x.y.z.61/24, gateway up
    ...
    I'm starting again is perhaps necessary, still the same.

    note: if carp, vip pass and vhid group different in all, base 1, skew 0. and z=253.

    I am using pfsense for many years in many places.



  • I have setup 2 Dell 1950 Dual Core 1.60 Xeon servers with 4 GB or RAM, 2 Onboard Broadcom NICs and 1 Quad Port Intel PCI-E X NIC.  The servers are configured in HA and have CARP IP's for both the test LAN and the test WAN.

    I have successfully added 64 IP Aliases to the CARP IP using Firewall->Virtual IP's and can confirm that everything appears to be functioning normally.  I have tested an IPSEC tunnel to a Netgear SRX5308 to the CARP IP and it is working just fine.  I have tested a couple of inbound ports via the IP aliases and they work as well.

    All of this leads me to believe that the problem you are experiencing is something about the network or environment you are testing in.  Perhaps even a hardware limitation with the system it is running on?  I included the hardware I was using for reference in the event that it might help.

    The problems you are seeing do not appear to be limitations of PFSENSE itself, but some other factor.  Did you upgrade both of these from a previous version of PFSense or did you fresh install?

    Another thought is to skip the 61st IP and use the next one up.  So if it stops on using IP .61, use IP .62 or even .70  and just see if the GW still drops.  The other side is what is the GW?  Is it a device that perhaps is looking for activity such as many IP's from a single hardware device and might be shutting down the port if it detects X number?  Not likely, but seen some crazy stuff in the Corporate world.

    Thanks,
    B



  • clean installation, not an upgrade.

    but the same configuration, similar NICs, same IP class, CIDR/24.

    and platform dell 2900, 2xXeon, i not use onboard nics, i use 2xdual port 1000PT.

    yes, I've tried.
    skip 61nc IP, have the same problem.
    I'm jumping 61,62,63..70,80 or 100..
    I'm adding 70,80,90,100,150,200 or etc.
    the same.

    In reality, after pfsense "cisco catalyst 3750 switch" or "cisco 2921 router"

    similar config in 2.0.3, all ok and run long time.

    I'll try again this weekend.

    hmm.

    you successfully add 64 IP, what class/CIDR?



  • Yes I successfully added 64 IP Addresses to the CARP interface.

    Network was 10.50.1.X/24



  • bshack,  You are saying that you only have a single CARP VIP on the WAN, and that you added the rest of the VIPs using IPAliases?

    I just cut-over to a pair of firewalls that had 24+ CARP VIPs on the WAN - as soon as the secondary fw would boot, the primary would crash, and then continue to crash after each boot as long as the secondary fw was online.  Made for a rough 24 hours.

    Apparently I'm doing it wrong..



  • There's nothing special in general about the 60th or 61st IP, no one will be able to replicate that problem just by adding 62 IPs. My first guess is you're creating a MAC conflict with a conflicting VHID or VRID of your gateway IP.



  • @cthomas:

    bshack,  You are saying that you only have a single CARP VIP on the WAN, and that you added the rest of the VIPs using IPAliases?

    I just cut-over to a pair of firewalls that had 24+ CARP VIPs on the WAN - as soon as the secondary fw would boot, the primary would crash, and then continue to crash after each boot as long as the secondary fw was online.  Made for a rough 24 hours.

    Apparently I'm doing it wrong..

    That is exactly what I did.  I am coming from an ASA 5520 to this platform and one thing I will say.  Check, Double Check, Tripe Check settings.  The same applies for the ASA or any other firewall as well as any other platform, but I find whenever something is not working for me on PFSense, it is due to a setting I did not get in there correctly.  In your situation, it might be helpful to know what the crash said on the console or log in PFSense.  Throw a some more detail in and I am sure someone can point out what is likely to be causing the problem.



  • @cthomas:

    I just cut-over to a pair of firewalls that had 24+ CARP VIPs on the WAN - as soon as the secondary fw would boot, the primary would crash, and then continue to crash after each boot as long as the secondary fw was online.  Made for a rough 24 hours.

    Wow, never seen or heard of that happening. You should start a thread on that if you haven't already (I couldn't find one in your post history). I suspect some kind of weird NIC or other driver bug that's specific to some very unusual edge case on your combination of hardware.



  • thanks pfsense.

    I LOVE PFSENSE, I TRUST PFSENSE.

    2.1.3 everything okay, no problem.

    but, i don't know whats wrong.
    within a short time my settings (especially the mac and CARP) will examine letters-letters again.

    edit: 2.1.3 config backup to restore 2.1.2, now it came to my mind, but I have not tried.



  • @cmb:

    @cthomas:

    I just cut-over to a pair of firewalls that had 24+ CARP VIPs on the WAN - as soon as the secondary fw would boot, the primary would crash, and then continue to crash after each boot as long as the secondary fw was online.  Made for a rough 24 hours.

    Wow, never seen or heard of that happening. You should start a thread on that if you haven't already (I couldn't find one in your post history). I suspect some kind of weird NIC or other driver bug that's specific to some very unusual edge case on your combination of hardware.

    cmb - I submitted a ton of crash reports - pm me for hostname details


Log in to reply