On Wed, Dec 10, 2008 at 10:05 AM, Tim Roberts <[EMAIL PROTECTED]> wrote: > Im still trying to track this issue down. I have one of the two new nodes up > finally without blowing up the network. I re-arranged VHIDs on all PFSense > servers on the network so they are unique and that did the trick for one out > of two. Still bringing the second server up to pair up with carp, it shuts > down one segment of my wireless network. There are 2 PFSense servers on the > hard wire over there. One is a bridge and does not use carp. One is a > traditional NAT firewall without carp as well. There might be a few > customers we have recommended PFSense too over there but I doubt any of them > use carp (intentionally). > > I read a post about PFSense becoming unresponsive after adding carp ips.This > is what happens during the outage. The console freezes for 4-5 minutes on > that last PFSense server Im trying to bring up. In another post it was > mentioned that although you can set pfsync to sync over a certain interface, > carp multicast is sent out over any interface that has a carp ip assigned to > it. We use Motorola Canopy for pretty much the entire wireless network. In > the past, we had huge outages do to multicast floods. We had to filter out > all multicast on every customer modem to stop it. So I know we have some > sort of an outstanding issue with multicast over the Canopy network that > maybe this is related to.
Both CARP and pfsync make use of multicast to do their job. CARP is very similar to VRRP, the master node advertises once a second, the passive server watches the wire to see if the advertisements come in. If you are dropping multicast on your switch, I'd be surprised if CARP is working at all for you. You'll need it enabled on at least the ports that have your firewalls plugged in. > My questions: > 1.) Under status - carp - I see a list of pfsync nodes. I was able to > determine one of the listed "nodes" was a pfsense firewall with CARP > enabled. However, the other 4-5 listed, I cannot match up with any of my > MAC's. Are these node "ID's" randomly made up becuase of the virtual carp > ips? Some of my PFSense servers have 30+ pfsense nodes listed. These are system ids and get uniquely generated at boot. You'll tend to see more than your cluster count due to reboots and long lived connections going through the cluster that live longer than the reboot times. You can identify a given nodes current id with a 'pfctl -si |grep Hostid' in the shell > 2.) Being that it looks like Im still conflicting somehow with my own > PFSense servers AND possibly current and future subscribers, is there a way > to block carp broadcasts all together per node with the exception of each > master's partner? I entered a block rule on every interface of one pfsense > server (whose slave is turned off) Protocal = carp source/destination * and > yet it still sees other pfsync nodes in the carp status. I dont see anything > in the firewall logs for related drops. pfsync needs to be on a dedicated cable PER cluster. I think I see some of your issue here. pfsync and carp are COMPLETELY different beasts, they work hand in hand, but are mutually exclusive - neither requires the other. --Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
