Im still trying to track this issue down. I have one of the two new nodes up
finally without blowing up the network. I re-arranged VHIDs on all PFSense
servers on the network so they are unique and that did the trick for one out
of two. Still bringing the second server up to pair up with carp, it shuts
down one segment of my wireless network. There are 2 PFSense servers on the
hard wire over there. One is a bridge and does not use carp. One is a
traditional NAT firewall without carp as well. There might be a few
customers we have recommended PFSense too over there but I doubt any of them
use carp (intentionally).
I read a post about PFSense becoming unresponsive after adding carp ips.This
is what happens during the outage. The console freezes for 4-5 minutes on
that last PFSense server Im trying to bring up. In another post it was
mentioned that although you can set pfsync to sync over a certain interface,
carp multicast is sent out over any interface that has a carp ip assigned to
it. We use Motorola Canopy for pretty much the entire wireless network. In
the past, we had huge outages do to multicast floods. We had to filter out
all multicast on every customer modem to stop it. So I know we have some
sort of an outstanding issue with multicast over the Canopy network that
maybe this is related to.
My questions:
1.) Under status - carp - I see a list of pfsync nodes. I was able to
determine one of the listed "nodes" was a pfsense firewall with CARP
enabled. However, the other 4-5 listed, I cannot match up with any of my
MAC's. Are these node "ID's" randomly made up becuase of the virtual carp
ips? Some of my PFSense servers have 30+ pfsense nodes listed.
2.) Being that it looks like Im still conflicting somehow with my own
PFSense servers AND possibly current and future subscribers, is there a way
to block carp broadcasts all together per node with the exception of each
master's partner? I entered a block rule on every interface of one pfsense
server (whose slave is turned off) Protocal = carp source/destination * and
yet it still sees other pfsync nodes in the carp status. I dont see anything
in the firewall logs for related drops.
3.) Also in one of the posts, Bills suggestion to the unresponsive server
was to make sure carp IPs added were within the firewalls subnet. I can
confirm that too (especially since this version wont allow you to
accidentially enter one out of its WAN/LAN range). BUT, I do have 2 backbone
carriers terminating into the same switch for ALL of my PFSense WAN
interfaces and second WAN interfaces. Is this a problem?
Any help is very appreciated. I know very little about multicast and the
guts of carp.
----- Original Message -----
From: "Bill Marquette" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Monday, December 08, 2008 4:38 PM
Subject: Re: [pfSense Support] Many CARP servers in seperate groups
On Mon, Dec 8, 2008 at 2:32 PM, Tim Roberts <[EMAIL PROTECTED]> wrote:
<SNIP>
Do VHIDs have to be unuique per IP on the same physical wire to avoid
conflicts with other CARP servers? We had similar floods when we first
setup
Pair1 to carp sync on LAN. It was flooding certain linksys and belkin
WAPs
out on subscriber sites. We switched it to sync to WAN and the issue went
away.
The CARP vhid dictates it's MAC address. You can only have a given
VHID on one Layer 2 segment (and depending on the switch, on one
switch if it can't handle identical MACs on multiple ports even if
they are on different VLANs).
--Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Commercial support available - https://portal.pfsense.org
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Commercial support available - https://portal.pfsense.org
