Stacked IP alias on carp doesn't work



  • To keep carp traffic to a minimum, I used an existing carp interface as parent for an ip alias, both sharing the same subnet as suggested in https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses .
    Still, the ip alias doesn't come up, only the carp ip address visible when executing ifconfig wan_vip1. No hint in the system log, just the successful xmlrpc sync. Version: 2.1.4

    Any hints?

    Regards
    Andreas



  • What version of pfSense?



  • As stated, V2.1.4



  • I have the same exact issue:

    2.1.4-RELEASE (amd64)
    built on Fri Jun 20 12:59:50 EDT 2014
    FreeBSD 8.3-RELEASE-p16

    After upgrading to 2.1.4 from 2.1.1 (I can't remember exact previous version but it was 2.1 and above).  The wan_vip1 had the IP alias addresses showing when I did an ifconfig.

    After upgrade and reboot… both firewalls in active/standby pair no longer show the virtual IP alias entries in ifconfig BUT they are still being announced and work somehow.  However when I go to add new Virtual IPs as IP alias (Same subnet as WAN VIP) they don't work at all.  The interface and XML configuration show them though.  The IP Alias will work if I assign them to the WAN instead of the floating WAN IP though.  Not ideal since it won't be managed by CARP.

    Where should I look to see what is going on?  Any ideas?

    Thanks in advance.



  • CARP + VIPs on 2.1.4 is a bit broken; it doesn't apply the Aliases to the interface:

    @jimp:

    If you  use IP Alias type VIPs layered on top of CARP VIPs, use the System Patches package to apply this fix (committed this morning):

    https://github.com/pfsense/pfsense/commit/2bf2a1c4c9a4ed1c378891e2b0e55edf3ed1a658

    We've patched our 2.1.4's and it works again fine.



  • Thank you for sharing RobEmery.  Will it take a while for this patch to make to a release?  I am relatively new to PFsense.



  • @sepulworld:

    Will it take a while for this patch to make to a release?  I am relatively new to PFsense.

    I haven't a clue, security patches seem to have been every couple of months for 2.1.x hopefully 2.1.5 is due soon



  • FWIW 2.1.5 is out today; and apparently has this issue fixed: https://blog.pfsense.org/?p=1401


  • Rebel Alliance Moderator

    @Rob Hate to disappoint you, while the main problem is indeed fixed (no aliases were created with 2.1.4 anymore), there still is a bug with deleting said aliases. They won't get deleted on the backup node, thus bringing chaos to the CARP stack on that interface leading to a split-brain (master/master) situation on that interface (can be resolved by rebooting the standby node or manually deleting the aliases on the VIP interface in a root shell on console).

    So my advice: be careful.



  • @JeGr:

    @Rob Hate to disappoint you, while the main problem is indeed fixed (no aliases were created with 2.1.4 anymore), there still is a bug with deleting said aliases. They won't get deleted on the backup node, thus bringing chaos to the CARP stack on that interface leading to a split-brain (master/master) situation on that interface (can be resolved by rebooting the standby node or manually deleting the aliases on the VIP interface in a root shell on console).

    So my advice: be careful.

    Interesting! Do you know how long this bug has stood for, we've always had interesting behaviour with CARP + VIPs and failovers; we've always ended up rebooting the secondary for "random" problems like these.


Log in to reply