CARP - pfsync interface not reachable
-
Have set 1.1.1.1 and 2.2.2.2 /24 pfsync interfaces. Both OPT4 and rules in place. But I am unable to connect the two. Pings fail from both ends. Connected direct through a cat6 cable and even tried using a switch giving it it's own private environment.
Hope it's a bug, as I wasted my entire weekend troubleshooting this. Can anyone please provide some guidance. Thanks.
-
Not sure if I understand your setup, but it seems that you are using pfsync interfaces in different subnets. They need to be in the same net to see each other:
https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29#Setup_a_Dedicated_Sync_Interface -
They are both on /24. I tried different ip address as well like 192.168.x.x. I just can't reach the opp node. If I connect to the master I can ping 1.1.1.1 and 2.2.2.2 if connected to slave. But can't ping 2.2.2.2 while connected to master and vice versa.
Also, both are OPT4 interfaces. So no mismatch. Though one is "re0" and the other "bg0" I even tried not using the two interfaces and create a new vlan on both using intel ports. Still no go.
It is the simplest task but it just fails to see the opp node.
-
IIRC you need the same interfaces on both sides for the actual state sync to work. So, even if you get this sorted out, synchronization won't work until you have i.e. bg0 on both sides.
I think cmb suggested that you can work around this using lagg interfaces with only one member each, but I never tested that. -
Without seeing one of your actual interface configurations (And the firewall rules for the interface) it's impossible to say why it isn't working.
It isn't a general problem, however. I have a 2.3 HA setup with CARP and it's working fine, the two can talk on their sync interface and so on.
-
Nothing fancy in the interface configs.. here is the info
Both are OPT4 interfaces. They should at least accept simple pings. Don't see why they cannot work. I even tried it using simple VLAN on similar Intel igb2 interface as well. Same issue. Again I tried connecting a straight through cable, they negotiate and use 1000Mbps speed. Also tried setting them up in a managed gigabit switch.
SYNC Interface (opt4, re0)
Status up
IPv4 Address 1.1.1.1
Subnet mask IPv4 255.255.255.0
MTU 1500
Media 1000baseT <full-duplex>SYNC Interface (opt4, bge0)
Status up
IPv4 Address 2.2.2.2
Subnet mask IPv4 255.255.255.0
MTU 1500
Media 1000baseT <full-duplex>States Protocol Source Port Destination Port Gateway Queue Schedule Description
0/0 B
IPv4 * * * * * * none Default allow SYNC to any rule</full-duplex></full-duplex> -
1.1.1.1 is not in the same /24 as 2.2.2.2, so of course they can't reach each other.
Try 1.1.1.1 and 1.1.1.2
Or try not using public/assigned addresses on your local interfaces, use one from 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 somewhere.
-
1.1.1.1 is not in the same /24 as 2.2.2.2, so of course they can't reach each other.
Try 1.1.1.1 and 1.1.1.2
Or try not using public/assigned addresses on your local interfaces, use one from 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 somewhere.
I tried 192.168.5.1 and 192.168.5.2 .. no go. :-(
I will do a clean install tonight with the latest snapshot and see if that makes a difference.
-
Unlikely there's any point in doing a clean install. With a proper IP config on there now, do you see the opposite side in ARP? Firewall rules allowing traffic on the sync interface on both sides?
-
I think it was a bad NIC. Switched with a new similar network card and all is well. Sync works perfectly now.
