Re: [pfSense] IPv6 (CARP and DHCPv6 failover)
Yes we don't have any DHCP in our CARP environment. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of hamid ashraf Sent: Thursday, March 23, 2017 6:01 AM To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] IPv6 (CARP and DHCPv6 failover) Dear Steve, Thanks for taking time to see my email. Yes you can say I have two issues but both are inter-related in my case. As CARP does not advertise it self as Gateway in case of DHCPv6 and in my case I have configured DHCPv6 which is not replicated to backup firewall and in case master goes down...in vein. So you are static assignment in your case for IPv6? Regards Hamid ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 (CARP and DHCPv6 failover)
On 03/22/2017 02:16 PM, hamid ashraf wrote: > I have 2 pfsense FW 2.3.3 p1 version, one is Master and Second is Backup. > CARP configured between both firewalls for IPv4 and all the configurations > are successfully syncing. When I configured the DHCPv6 on master firewall, > that configuration didn't replicated to the backup one and everything works > perfectly from outside to inside and vice versa on master. When firewall > failover IPv6 connectivity is gone. My questions: > > 1. Does pfsense does not support IPv6 Failover? No, because the ISC DHCP daemon for IPv6 does not have any concept of failover baked in at this time. And last I heard, they are holding out waiting for an IPv6 DHCP failover standard to be written. There are a couple drafts floating around but last I saw, none have yet move beyond that stage. > 2. Does pfsense does not support DHCPv6 failover as I observed nothing has > been synced to backup firewall, related to DHCPv6? It could, but it doesn't, because of the above limitation. You have to manually configure a different range on both boxes, or use only SLAAC for automatic assignment. You could configure the same pool on both units but since the two units cannot share lease information, you end up relying on IPv6 DAD to prevent conflicts. Since the potential IPv6 address pool for a subnet is huge (/64), using a separate range on each unit shouldn't be a problem. But it does mean you have to configure them manually. > 3. Please suggest a design to get IPv6, IPv4 workig together in failover with > DHCPv6 synced between them and if the firewall failover it should be seemless. You have to setup each node manually for DHCPv6 but it works fine this way: Primary: * DHCPv6 enabled ** DHCPv6 set for a given range (say... :::xxx0::1:-:::xxx0::1:) ** DHCPv6 DNS server set to the LAN IPv6 CARP VIP * Router advertisements enabled ** RA set to Managed ** RA Router priority set to Normal ** RA interface set for the LAN IPv6 CARP VIP. Binding to the CARP VIP interface ensures that radvd only runs on the node which is master. ** RA DNS Server 1 set to the LAN IPv6 CARP VIP (or check the box to use the same settings as DHCPv6 server) Secondary: * DHCPv6 enabled ** DHCPv6 set for DIFFERENT range (say... :::xxx0::2:-:::xxx0::2:) ** DHCPv6 DNS server set to the LAN IPv6 CARP VIP * Router advertisements enabled ** RA set to Managed ** RA Router priority set to Normal ** RA interface set for the LAN IPv6 CARP VIP ** RA DNS Server 1 set to the LAN IPv6 CARP VIP (or check the box to use the same settings as DHCPv6 server) Then repeat that for each local interface (e.g. DMZ, guest network, etc) It may seem clunkier than its IPv4 sibling but they both transition at nearly the same rate. As an alternative, you could bind the RA daemon to the LAN directly and set the primary to high, secondary to normal or low. That way nodes would always know about both gateways and they would decide which one to use automatically. Jim P ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 (CARP and DHCPv6 failover)
Dear Steve, Thanks for taking time to see my email. Yes you can say I have two issues but both are inter-related in my case. As CARP does not advertise it self as Gateway in case of DHCPv6 and in my case I have configured DHCPv6 which is not replicated to backup firewall and in case master goes down...in vein. So you are static assignment in your case for IPv6? Regards Hamid From: Steve Yates To: pfSense Support and Discussion Mailing List Sent: Thursday, March 23, 2017 2:20 AM Subject: Re: [pfSense] IPv6 (CARP and DHCPv6 failover) Interesting...we have not seen that problem with IPv6 and CARP. I just looked and the backup is showing Backup for all IPs. I do occasionally, like after our 2.3.2 to 2.3.3_1 upgrade, where one IP does get stuck as Master on the backup after the primary is updated and restarts. I am fairly certain it was an IPv4 address though, and is not a new issue. Restarting fixes it. Hamid, are you saying you have two issues, that IPv6 is not being synced and that DHCPv6 is not being synced? We aren't using DHCPv6 but have not seen any issues with IPv6 and CARP. IPv6 connectivity shouldn't be related to whether DHCPv6 is running, as long as the PCs have addresses...? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jochen Becker Sent: Wednesday, March 22, 2017 1:25 PM To: hamid ashraf ; pfSense Support and Discussion Mailing List Subject: Re: [pfSense] IPv6 (CARP and DHCPv6 failover) Hi Hamid, can you check whether your IPv6 CARP Addresses are in agood condition after 10-15 minutes of uptime? I have a problem with multiple setups where CARPv6 changes to dual master after 10 minutes. IPv6 connectivity is nearly impossible with that setup. However IPv4 and CARP with v4 are working as they should. Those problems appeared short after the update to 2.3.3p1. See also the forum post: https://forum.pfsense.org/index.php?topic=127342.0 Cheers Jochen On 22.03.2017 19:16, hamid ashraf wrote: > Hi, > > I have 2 pfsense FW 2.3.3 p1 version, one is Master and Second is Backup. > CARP configured between both firewalls for IPv4 and all the configurations > are successfully syncing. When I configured the DHCPv6 on master firewall, > that configuration didn't replicated to the backup one and everything works > perfectly from outside to inside and vice versa on master. When firewall > failover IPv6 connectivity is gone. My questions: > > 1. Does pfsense does not support IPv6 Failover? > 2. Does pfsense does not support DHCPv6 failover as I observed nothing has > been synced to backup firewall, related to DHCPv6? > 3. Please suggest a design to get IPv6, IPv4 workig together in failover with > DHCPv6 synced between them and if the firewall failover it should be seemless. > Diagram attached for your reference. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 (CARP and DHCPv6 failover)
Interesting...we have not seen that problem with IPv6 and CARP. I just looked and the backup is showing Backup for all IPs. I do occasionally, like after our 2.3.2 to 2.3.3_1 upgrade, where one IP does get stuck as Master on the backup after the primary is updated and restarts. I am fairly certain it was an IPv4 address though, and is not a new issue. Restarting fixes it. Hamid, are you saying you have two issues, that IPv6 is not being synced and that DHCPv6 is not being synced? We aren't using DHCPv6 but have not seen any issues with IPv6 and CARP. IPv6 connectivity shouldn't be related to whether DHCPv6 is running, as long as the PCs have addresses...? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jochen Becker Sent: Wednesday, March 22, 2017 1:25 PM To: hamid ashraf ; pfSense Support and Discussion Mailing List Subject: Re: [pfSense] IPv6 (CARP and DHCPv6 failover) Hi Hamid, can you check whether your IPv6 CARP Addresses are in agood condition after 10-15 minutes of uptime? I have a problem with multiple setups where CARPv6 changes to dual master after 10 minutes. IPv6 connectivity is nearly impossible with that setup. However IPv4 and CARP with v4 are working as they should. Those problems appeared short after the update to 2.3.3p1. See also the forum post: https://forum.pfsense.org/index.php?topic=127342.0 Cheers Jochen On 22.03.2017 19:16, hamid ashraf wrote: > Hi, > > I have 2 pfsense FW 2.3.3 p1 version, one is Master and Second is Backup. > CARP configured between both firewalls for IPv4 and all the configurations > are successfully syncing. When I configured the DHCPv6 on master firewall, > that configuration didn't replicated to the backup one and everything works > perfectly from outside to inside and vice versa on master. When firewall > failover IPv6 connectivity is gone. My questions: > > 1. Does pfsense does not support IPv6 Failover? > 2. Does pfsense does not support DHCPv6 failover as I observed nothing has > been synced to backup firewall, related to DHCPv6? > 3. Please suggest a design to get IPv6, IPv4 workig together in failover with > DHCPv6 synced between them and if the firewall failover it should be seemless. > Diagram attached for your reference. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 (CARP and DHCPv6 failover)
Hi Hamid, can you check whether your IPv6 CARP Addresses are in agood condition after 10-15 minutes of uptime? I have a problem with multiple setups where CARPv6 changes to dual master after 10 minutes. IPv6 connectivity is nearly impossible with that setup. However IPv4 and CARP with v4 are working as they should. Those problems appeared short after the update to 2.3.3p1. See also the forum post: https://forum.pfsense.org/index.php?topic=127342.0 Cheers Jochen On 22.03.2017 19:16, hamid ashraf wrote: Hi, I have 2 pfsense FW 2.3.3 p1 version, one is Master and Second is Backup. CARP configured between both firewalls for IPv4 and all the configurations are successfully syncing. When I configured the DHCPv6 on master firewall, that configuration didn't replicated to the backup one and everything works perfectly from outside to inside and vice versa on master. When firewall failover IPv6 connectivity is gone. My questions: 1. Does pfsense does not support IPv6 Failover? 2. Does pfsense does not support DHCPv6 failover as I observed nothing has been synced to backup firewall, related to DHCPv6? 3. Please suggest a design to get IPv6, IPv4 workig together in failover with DHCPv6 synced between them and if the firewall failover it should be seemless. Diagram attached for your reference. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] IPv6 (CARP and DHCPv6 failover)
Hi, I have 2 pfsense FW 2.3.3 p1 version, one is Master and Second is Backup. CARP configured between both firewalls for IPv4 and all the configurations are successfully syncing. When I configured the DHCPv6 on master firewall, that configuration didn't replicated to the backup one and everything works perfectly from outside to inside and vice versa on master. When firewall failover IPv6 connectivity is gone. My questions: 1. Does pfsense does not support IPv6 Failover? 2. Does pfsense does not support DHCPv6 failover as I observed nothing has been synced to backup firewall, related to DHCPv6? 3. Please suggest a design to get IPv6, IPv4 workig together in failover with DHCPv6 synced between them and if the firewall failover it should be seemless. Diagram attached for your reference. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
