As always, thank you very much for the timly reply.
Tim
----- Original Message -----
From: "Bill Marquette" <[email protected]>
To: <[email protected]>
Sent: Wednesday, December 10, 2008 1:22 PM
Subject: Re: [pfSense Support] Many CARP servers in seperate groups
On Wed, Dec 10, 2008 at 10:05 AM, Tim Roberts <[email protected]> wrote:
Im still trying to track this issue down. I have one of the two new nodes
up
finally without blowing up the network. I re-arranged VHIDs on all
PFSense
servers on the network so they are unique and that did the trick for one
out
of two. Still bringing the second server up to pair up with carp, it
shuts
down one segment of my wireless network. There are 2 PFSense servers on
the
hard wire over there. One is a bridge and does not use carp. One is a
traditional NAT firewall without carp as well. There might be a few
customers we have recommended PFSense too over there but I doubt any of
them
use carp (intentionally).
I read a post about PFSense becoming unresponsive after adding carp
ips.This
is what happens during the outage. The console freezes for 4-5 minutes on
that last PFSense server Im trying to bring up. In another post it was
mentioned that although you can set pfsync to sync over a certain
interface,
carp multicast is sent out over any interface that has a carp ip assigned
to
it. We use Motorola Canopy for pretty much the entire wireless network.
In
the past, we had huge outages do to multicast floods. We had to filter
out
all multicast on every customer modem to stop it. So I know we have some
sort of an outstanding issue with multicast over the Canopy network that
maybe this is related to.
Both CARP and pfsync make use of multicast to do their job. CARP is
very similar to VRRP, the master node advertises once a second, the
passive server watches the wire to see if the advertisements come in.
If you are dropping multicast on your switch, I'd be surprised if CARP
is working at all for you. You'll need it enabled on at least the
ports that have your firewalls plugged in.
My questions:
1.) Under status - carp - I see a list of pfsync nodes. I was able to
determine one of the listed "nodes" was a pfsense firewall with CARP
enabled. However, the other 4-5 listed, I cannot match up with any of my
MAC's. Are these node "ID's" randomly made up becuase of the virtual carp
ips? Some of my PFSense servers have 30+ pfsense nodes listed.
These are system ids and get uniquely generated at boot. You'll tend
to see more than your cluster count due to reboots and long lived
connections going through the cluster that live longer than the reboot
times. You can identify a given nodes current id with a 'pfctl -si
|grep Hostid' in the shell
2.) Being that it looks like Im still conflicting somehow with my own
PFSense servers AND possibly current and future subscribers, is there a
way
to block carp broadcasts all together per node with the exception of each
master's partner? I entered a block rule on every interface of one
pfsense
server (whose slave is turned off) Protocal = carp source/destination *
and
yet it still sees other pfsync nodes in the carp status. I dont see
anything
in the firewall logs for related drops.
pfsync needs to be on a dedicated cable PER cluster. I think I see
some of your issue here. pfsync and carp are COMPLETELY different
beasts, they work hand in hand, but are mutually exclusive - neither
requires the other.
--Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
