pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162023-11-20T17:53:07ZpfSense bugtracker
Redmine pfSense - Bug #15015 (New): Static routes not workinghttps://redmine.pfsense.org/issues/150152023-11-20T17:53:07ZSilviu Bajenaru
<p>Hello,</p>
<p>This morning I updated to PFSense 2.7.1 from 2.7.0. Now, I just tried to add a dynamic gateway and a static route. Unfortunately, the static route is not being added to the routing table. I restored the VM backup from this morning, before I updated, added the same gateway and static route and it was added to the routing table, and everything works fine.<br />I've set the priority to Urgent since this is quite bad for a router...?</p>
More info about my setup: I've got three sites, let's call them A, B and C. There is an IPSec tunnel between A and B, and one between B and C. Both tunnels are set with Mode VTI. I've assigned the ipsec interfaces and set the gateways and routes:<br />Site A has a gateway set on the IPSec interface and a route for site C that uses that gateway.<br />Site B has two gateways (one for each IPSec tunnel) and the following routes:
<ul>
<li>route to site A via the IPSec interface - gateway - going to site A</li>
<li>route to site B via the IPSec interface - gateway - going to site B<br />Site C has a gateway set on the IPSec interface and a route for site A that uses that gateway.<br />Site A was updated this morning to PFSense 2.7.1, while Site C is running 2.7.0.<br />Site A DOES NOT have the static routes added to the routing table.<br />Site C does have the static routes added to the routing table.</li>
</ul>
<p>Once I reverted Site A to 2.7.0, I did the same config again and the routes were added to the routing table.</p>
<p>Thank you.</p> pfSense - Bug #14741 (New): PHP error in DNS Forwarder host overrides when the language is set to...https://redmine.pfsense.org/issues/147412023-09-02T10:26:29ZNicolas PISTER
<p>A PHP error occur when a user try to add or modify Host Override in DNS Forwarder module</p>
<pre>
amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT #1 RELENG_2_7_0-n255866-686c8d3c1f0: Wed Jun 28 04:21:19 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/obj/amd64/LwYAddCr/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/sources/FreeBSD-src-REL
Crash report details:
PHP Errors:
[02-Sep-2023 11:55:24 Europe/Paris] PHP Fatal error: Uncaught ValueError: Unknown format specifier "p" in /usr/local/www/classes/Form/Input.class.php:127
Stack trace:
#0 /usr/local/www/classes/Form/Input.class.php(127): sprintf('Nom de domaine ...', '<br />')
#1 /usr/local/www/services_dnsmasq_edit.php(85): Form_Input->setHelp('Domain of the h...', '<br />')
#2 {main}
thrown in /usr/local/www/classes/Form/Input.class.php on line 127
[02-Sep-2023 11:58:37 Europe/Paris] PHP Fatal error: Uncaught ValueError: Unknown format specifier "p" in /usr/local/www/classes/Form/Input.class.php:127
Stack trace:
#0 /usr/local/www/classes/Form/Input.class.php(127): sprintf('Nom de domaine ...', '<br />')
#1 /usr/local/www/services_dnsmasq_edit.php(85): Form_Input->setHelp('Domain of the h...', '<br />')
#2 {main}
thrown in /usr/local/www/classes/Form/Input.class.php on line 127
[02-Sep-2023 11:58:46 Europe/Paris] PHP Fatal error: Uncaught ValueError: Unknown format specifier "p" in /usr/local/www/classes/Form/Input.class.php:127
Stack trace:
#0 /usr/local/www/classes/Form/Input.class.php(127): sprintf('Nom de domaine ...', '<br />')
#1 /usr/local/www/services_dnsmasq_edit.php(85): Form_Input->setHelp('Domain of the h...', '<br />')
#2 {main}
thrown in /usr/local/www/classes/Form/Input.class.php on line 127
</pre>
<p>I think it come from a french translation file because when i use original language, everithing works.</p> pfSense - Bug #14397 (New): DHCPv4 client (dhclient) does not use 802.1p Priority tagging on DHCP...https://redmine.pfsense.org/issues/143972023-05-19T14:52:52ZTue Madsen
<p>Some ISPs using VLANs for service, require DHCPv4/v6 Frames to be 802.1p priority tagged. <br />pfSense has the option to do this by either:<br />- Setting VLAN priority tagging in the Interface DHCP options (if you are not using Advanced configuration or a predefined configuration file)<br />- If using advanced configuration: By adding “vlan-pcp x” in the advanced modifier options.</p>
<p>BUG:<br />This priority setting in only used in DISCOVER and RELEASE frames sent by dhclient - NOT in RENEW or REBIND.</p>
<p>This is now causing major problems in France where Orange (Major ISP) has upgraded to also requiring the RENEW frames to be properly VLAN Priority tagged.<br />This causes the uplink to stop working when a renew is due. (About once a day)</p>
<p>I don’t know if the issue is the same in DHCPv6</p>
<p>The issue was patched in OPNsense about a month ago, and they decided to drop the advanced options overwrite of the VLAN priority setting in interface DHCP options. <br />Instead they let the user choose if VLAN priority should be used via the interface DHCP VLAN Priority setting already available. <br />If selected it would - apart from adding “vlan-pcp x” to the dhclient config - also set the priority tag in the builtin pffilter rule that passes Interface DHCP client traffic. This adds the tag to RENEW and REBIND frames.</p>
<p>The issue occurs because dhclient uses a bfg interface for DISCOVER and RELEASE - thus respecting the vlan-pcp settings. But for RENEW it uses a simple socket, and that causes it not to be tagged correctly. In pfSense you cannot create a floating match rule to manually tag the traffic that has higher priority than the builtin pass quick rule for the interface DHCP client.</p> pfSense - Bug #14020 (New): Captive Portal breaks policy routing for allowed IP addresses with sp...https://redmine.pfsense.org/issues/140202023-02-22T16:44:49ZMohammad Adnan Atayamohammadadnanataya@gmail.com
<p>The topic on forum.netgate is here: (<a class="external" href="https://forum.netgate.com/topic/178194/captive-portal-blocking-allowed-ip-addresses-with-bandwidth-in-2-6-0">https://forum.netgate.com/topic/178194/captive-portal-blocking-allowed-ip-addresses-with-bandwidth-in-2-6-0</a>).</p>
<p>This bug showed since we upgraded from 2.5.2 version.</p>
<p>Problem description:<br />We have devices with static IP address is on allowlist in the captive portal settings. These devices can't connect to internet but they can access firewall via ping to it.<br />The problem occurs when I set the bandwidth up/down to the allowed ip address to bypass captive portal without authentication. Also, the connection is not cut off immediately after the modification. It is cut off after consuming the amount of data (bytes) set for it by the two bandwidth fields in the captive portal service edit window for zone. I think the limiter (up/down) works here as a quota size for this IP instead of being a speed limit for it.<br />Note: When we increase the bandwidth value, the connection takes longer time and more packets or a larger amount of bytes event is interrupted by pfSense.<br />Note 2: To fix this error temporarily, we can just open up their entry in the allowed IPs list, hit the save button, then the stuck devices can communicate with captive portal again.</p>
<p>Here is the issue:<br />When the captive portal is disabled everything is routed correctly.<br />But when I enable the captive portal, devices that are allowed to bypass the captive portal via ip address are suddenly stopped.<br />Only devices that authenticated through the captive portal are still correctly routed over WAN and connected to internet.</p>
<p>There is a similar issue about "Blocking allowed MAC addresses that need bypass Captive Portal" onlink: (<a class="external" href="https://redmine.pfsense.org/issues/13323">https://redmine.pfsense.org/issues/13323</a>)<br />and the topic is: (<a class="external" href="https://forum.netgate.com/topic/161952/captive-portal-blocking-white-listed-mac-addresses-in-2-5-0">https://forum.netgate.com/topic/161952/captive-portal-blocking-white-listed-mac-addresses-in-2-5-0</a>).</p> pfSense - Bug #11992 (Confirmed): GRE Tunnel - Does not work with a virtual IP as endpointhttps://redmine.pfsense.org/issues/119922021-06-03T18:34:07ZGabriel Argentieri
<p>Hello,</p>
<p>I saw that normally this problem is solved since 6 years but I meet a problem, I did not manage to solve it.</p>
<p>I have a tunnel between 2 pfsense routers:<br />- pfsenseA<br />- pfsenseB</p>
<p>On pfsenseA:<br />WAN: 172.16.0.252/24<br />GRE: local 192.168.100.1/30 / remote 192.168.100.2/30 / endpoint 172.16.0.3</p>
<p>On pfsenseB:<br />WAN: 172.16.0.3/24<br />GRE: local 192.168.100.2/30 / remote 192.168.100.1/30 / endpoint 172.16.0.252</p>
<p>GRE tunnel works, but when I create a virtual ip type CARP with the IP 172.16.0.254/24 and I modify the endpoint on the pfsenseB side, the tunnel does not go up anymore.</p>
<p>However from the WAN interface from the pfsenseB in 172.16.0.3, I can ping the 172.16.0.254.</p>
<p>Version 2.5.1</p>
<p>Thanks for your help!</p> pfSense - Bug #9295 (New): IPv6 PD does not work with PPPOE (Server & Client)https://redmine.pfsense.org/issues/92952019-01-29T11:51:01ZDirk Steingäßer
<p>Hi,</p>
<p>as encountering DHCPv6 with Prefix delegation does not work together with PPPOE Server vice versa it is not possible to get a prefix with an interface where the IPv4 Uplink is PPPOE.</p> pfSense - Bug #9136 (New): IPv6 Tracking Interfaces Lose IPv6 Address in Certain Caseshttps://redmine.pfsense.org/issues/91362018-11-18T17:48:07ZChris Linstruth
<p>IPv6 assigned to inside interfaces seem to lose their assignments one by one over time upon renewal or interface reset. This seems to only occur if the time necessary to complete the renewal is more than X. It takes a couple of minutes for all of the interfaces to lose their assignments. Seems to be about one every 10 seconds. It also only appears to impact VLAN interfaces, not direct interfaces (vmnet0, igb1).</p>
<p>To test this I installed a new 2.4.4.CE VM and created WAN (vtnet1) LAN (vtnet0) and 10 VLANs on vtnet1 (vtnet1.3501 - vtnet1.3510, OPT1-OPT10).</p>
<p>LAN and OPT1-OPT10 were all configured as Static IPv4, Track Interface, WAN IPv6.</p>
<p>WAN was configured for DHCP, DHCP6, with a /56 Prefix Delegation.</p>
<p>Upon boot, all inside interfaces receive track interface assignments and everything works.</p>
<p>But if you Edit/Save WAN, All interfaces receive track interface assignments but then some inside interfaces drop their address assignments.</p>
<p>As far as I can tell, this occurs when this is logged:</p>
<p>Nov 18 23:34:01 check_reload_status updating dyndns opt9<br />Nov 18 23:34:01 kernel vlan9: changing name to 'vtnet0.3510'</p>
<p>I am rebooting again to try to watch if it reoccurs on a DHCP6 renewal. That will take some time.</p> pfSense - Bug #9123 (Feedback): Adding/configuring vlan on ixl-devices causes aq_add_macvlan err ...https://redmine.pfsense.org/issues/91232018-11-15T10:50:14ZSebastian Deuerling
<p>The actual vlan addition/configuring process is triggering error "aq_add_macvlan err -53, aq_error 14" on ixl-devices.<br />Configuring vlans seems to work nevertheless, but saving interface configurations with vlans takes a lot of time.<br />In our setup (two igb-interfaces, two ix-interfaces, two ixl-interfaces; 25 vlans on failover-lagg of ixl0 and igb0) saving changes on interface configuration lasts around about 20 to 30 minutes. After that pfSense seems to freeze. After reboot all vlans are working.<br />But booting also takes a lof of time. Around 5 minutes in step "Configuring VLANS...".<br />Our hardware: SYS-5018D-FN4T (Supermicro Intel Xeon D-1541 system) and X710DA2BLK (Intel X710-DA2 Dual-SFP+-PCIe-Addon-cards).<br />Further information here: <a class="external" href="https://forum.netgate.com/topic/136201/new-version-2-4-4-interface-error-aq_add_macvlan-err-53-aq_error-14/14">https://forum.netgate.com/topic/136201/new-version-2-4-4-interface-error-aq_add_macvlan-err-53-aq_error-14/14</a></p> pfSense - Bug #8964 (New): IPsec async cryptography advanced setting - TCP traffic not passing t...https://redmine.pfsense.org/issues/89642018-09-27T02:25:33ZVladimir Lind
<p>Test setup:</p>
<p>Windows <-> SG2220 2.4.4-rel <---IPSEC---> SG3100 2.4.4-rel <-> Windows</p>
<p>IPsec (tunnel mode) with following settings:<br />P1 - mode Auto, AES128, SHA256, DH14<br />P2 - AES128GCM, no hash, PFS 14</p>
<p>ICMP between Win hosts is OK.<br />But SMB traffic is not going through with Async Crypto enabled on any side. I do see established TSP session. When I disable async crypto - SMB download immediately begin to flow.<br />Attached a packet dump sniffed on LAN of the 3100 - it is a snippet of the moment when async was disabled (lines 12-15) and SMB began to work.</p>
<p>Please refer also to trouble tickets 12812 and 12864 for additional details.</p> pfSense - Bug #8158 (New): IPv6 Track Interface issue with more than one WAN-Gateway and a number...https://redmine.pfsense.org/issues/81582017-12-03T09:00:51ZIngo-Stefan Schillingischilling@hotmail.com
<strong>Configuration</strong>
<ul>
<li>WAN interfaces are configured as WAN_KD and WAN_DTAG, the first is getting its configuration from a Fritz!Box, the second is directly configured to dial in via DSL-Modem.
<ul>
<li>Both WAN interfaces do get IPv4 and IPv6 configuration correctly, traffic is going via both interfaces</li>
<li>Internal interfaces called LAN_ and all interfaces are set to track their corresponding WAN_ interface, so some are connected with WAN_KD while the others are connected with WAN_DTAG.
<ul>
<li>In the attached file, you can see that only for WAN_KD the corresponding interfaces did get the IPv6 addresses.</li>
</ul></li>
</ul></li>
</ul>
<p><strong>This configuration works from time to time perfect</strong><br />Hence I believe that it is done right. I have no idea why and under which circumstances. Most other times, the track interface functionality works only for one WAN and doesn't for the other. A reboot or something like this doesn't make a difference - the result is the same: see the attached file. Also, even if it worked in the beginning, after a while the track interface for one or the other WAN does stop working and the corresponding interfaces loose their IPv6 configuration.</p>
<p>If you need specific information, configuration insights, log-file data (and which) let me know, I am happy to contribute.</p>
<p>If I am just to stupid to configure pfSense, I am happy to learn as well ;)</p> pfSense - Bug #8089 (New): VLAN page breaks after config restore to new hardware.https://redmine.pfsense.org/issues/80892017-11-13T11:09:13ZBridgetowermedia IT
<p>The VLAN interface page breaks after restoring a backup from devices using emX interfaces to devices using igbX interfaces.<br />This is rather problemmatic as after the page is broken the only way to fix is to re-image.<br />The work around is to remove all VLAN interfaces from the configuration before backing up and restoring.</p>
<p>When the page breaks this is the error received:<br />Fatal error: Cannot redeclare vlan_inuse() (previously declared in /usr/local/www/interfaces_vlan.php:42) in /etc/inc/interfaces.inc on line 272 Call Stack: 0.0026 231112 1. {main}() /usr/local/www/interfaces_vlan.php:0 0.0027 231616 2. require_once('/usr/local/www/guiconfig.inc') /usr/local/www/interfaces_vlan.php:33 0.0029 254168 3. require_once('/etc/inc/authgui.inc') /usr/local/www/guiconfig.inc:51 0.0029 254800 4. include_once('/etc/inc/auth.inc') /etc/inc/authgui.inc:25 0.0029 255232 5. require_once('/etc/inc/config.gui.inc') /etc/inc/auth.inc:31 0.0061 279224 6. require_once('/etc/inc/notices.inc') /etc/inc/config.gui.inc:37 0.0061 279600 7. require_once('/etc/inc/functions.inc') /etc/inc/notices.inc:24 PHP ERROR: Type: 1, File: /etc/inc/interfaces.inc, Line: 272, Message: Cannot redeclare vlan_inuse() (previously declared in /usr/local/www/interfaces_vl an.php:42)</p>
<p>You can reproduce by:</p>
<p>add vlan to 8860 interface<br />backup config<br />restore config to vmware device<br />reassign interfaces as normal.<br />backup config<br />restore to 8860<br />then try and reassign interfaces,<br />get errors about non existing vlans<br />attempt to resolve vlan issue on vlan interfaces page.</p> pfSense - Bug #7730 (New): 2.3.4_1 greX: loop detected when hit save on filter rules or interfaceshttps://redmine.pfsense.org/issues/77302017-07-27T07:16:59ZRichie M
<p>upgraded from 2.2.6<br />anytime we hit save in the GUI for interface or filter rules, even if no change was made, we start getting Jul 25 14:50:02 <histname> kernel: greX: loop detected spam in dmesg/system.log. Our GRE tunnel goes down.</p>
<p>Any cluster sync activity from the Primary to Secondary also causes this issue.</p>
<p>We have to do a save on the GRE interface in the web GUI (this downs/ups the interface) and the tunnel starts working again.</p>
<p><code><br />Jul 25 14:50:01 hostname kernel: gre0: loop detected<br />Jul 25 14:50:02 hostname kernel: gre1: loop detected<br />Jul 25 14:50:02 hostname kernel: gre0: loop detected<br />Jul 25 14:50:02 hostname kernel: gre1: loop detected<br />Jul 25 14:50:02 hostname kernel: gre0: loop detected<br />Jul 25 14:50:03 hostname kernel: gre1: loop detected<br />Jul 25 14:50:03 hostname kernel: gre0: loop detected<br />Jul 25 14:50:03 hostname kernel: gre1: loop detected<br /></code></p>
<p>Original Forum Thread: <a class="external" href="https://forum.pfsense.org/index.php?topic=134258.0">https://forum.pfsense.org/index.php?topic=134258.0</a></p> pfSense - Feature #7521 (New): Package Updates via Mirrorhttps://redmine.pfsense.org/issues/75212017-05-04T20:21:52ZMark Olliver
<p>Since the upgrade to 2.3 systems that no longer can connect to the internet directly or via a proxy can not get updates manually.</p>
<p>This is leaving internal firewalls vulnerable to potential threats, can we please have an option to mirror the Pfsense repo and thus conversely an option in the system updates menu to enter a local mirror as an override.</p>
<p>By doing this we can reinstate updates for offline systems and keep them secure.</p>
<p>Thanks</p>
<p>Mark</p> pfSense - Bug #5355 (New): on Dynamic WAN IP (DHCP Client) it takes 10 minutes before Phase1 reco...https://redmine.pfsense.org/issues/53552015-10-29T03:37:18ZVitali Karivitali.kari@gmail.com
<p>2.2.4-RELEASE (i386)<br />built on Sat Jul 25 19:56:41 CDT 2015<br />FreeBSD 10.1-RELEASE-p15</p>
<p>It seems that charon do not care or is being not informed after WAN IP address changes</p>
<p>it try still use the old IP address and cannot bind this.</p>
<p>i see this messages after IP adress is changed: (the XXX.XXX.180.28 is an old IP address)<br />Logs are in reverse order!</p>
<p>...<br />Oct 26 09:43:49 charon: 09[IKE] <con1000|2> sending DPD request<br />Oct 26 09:43:49 charon: 09[IKE] <con1000|2> sending DPD request<br />Oct 26 09:43:48 charon: 05[NET] error writing to socket: Can't assign requested address<br />Oct 26 09:43:48 charon: 09[NET] <con1000|3> sending packet: from XXX.XXX.180.28<sup><a href="#fn500">500</a></sup> to XXX.XXX.183.110<sup><a href="#fn500">500</a></sup> (391 bytes)<br />Oct 26 09:43:48 charon: 09[IKE] <con1000|3> sending retransmit 4 of request message ID 0, seq 1<br />Oct 26 09:43:48 charon: 09[IKE] <con1000|3> sending retransmit 4 of request message ID 0, seq 1<br />Oct 26 09:43:39 charon: 09[IKE] <con1000|2> sending DPD request<br />Oct 26 09:43:39 charon: 09[IKE] <con1000|2> sending DPD request<br />Oct 26 09:43:29 charon: 09[IKE] <con1000|2> sending DPD request<br />Oct 26 09:43:29 charon: 09[IKE] <con1000|2> sending DPD request<br />Oct 26 09:43:24 charon: 05[NET] error writing to socket: Can't assign requested address<br />Oct 26 09:43:24 charon: 09[NET] <con1000|3> sending packet: from XXX.XXX.180.28<sup><a href="#fn500">500</a></sup> to XXX.XXX.183.110<sup><a href="#fn500">500</a></sup> (391 bytes)<br />Oct 26 09:43:24 charon: 09[IKE] <con1000|3> sending retransmit 3 of request message ID 0, seq 1<br />Oct 26 09:43:24 charon: 09[IKE] <con1000|3> sending retransmit 3 of request message ID 0, seq 1<br />Oct 26 09:43:19 charon: 09[IKE] <con1000|2> sending DPD request<br />Oct 26 09:43:19 charon: 09[IKE] <con1000|2> sending DPD request<br />...</p>
<p>after i while (10 - 15 minutes) IPsec realizes that the WAN address is changed and reconnects successfully:</p>
<p>...<br />Oct 26 09:53:32 charon: 12[IKE] <con1000|4> IKE_SA con1000<sup><a href="#fn4">4</a></sup> established between XXX.XXX.180.42[XXX]...XXX.XXX.183.110[XXX.XXX.183.110]<br />Oct 26 09:53:32 charon: 12[ENC] <con1000|4> received unknown vendor ID: 69:93:69:22:87:41:c6:d4:ca:09:4c:93:e2:42:c9:de:19:e7:b7:c6:00:00:00:05:00:00:05:00<br />Oct 26 09:53:32 charon: 12[IKE] <con1000|4> received NAT-T (RFC 3947) vendor ID<br />Oct 26 09:53:32 charon: 12[IKE] <con1000|4> received NAT-T (RFC 3947) vendor ID<br />Oct 26 09:53:32 charon: 12[IKE] <con1000|4> received DPD vendor ID<br />Oct 26 09:53:32 charon: 12[IKE] <con1000|4> received DPD vendor ID<br />Oct 26 09:53:32 charon: 12[ENC] <con1000|4> parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V NAT-D NAT-D ]<br />Oct 26 09:53:32 charon: 12[NET] <con1000|4> received packet: from XXX.XXX.183.110<sup><a href="#fn500">500</a></sup> to XXX.XXX.180.42<sup><a href="#fn500">500</a></sup> (388 bytes)<br />Oct 26 09:53:32 charon: 12[NET] <con1000|4> sending packet: from XXX.XXX.180.42<sup><a href="#fn500">500</a></sup> to XXX.XXX.183.110<sup><a href="#fn500">500</a></sup> (391 bytes)<br />Oct 26 09:53:32 charon: 12[ENC] <con1000|4> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]<br />Oct 26 09:53:32 charon: 12[IKE] <con1000|4> initiating Aggressive Mode IKE_SA con1000<sup><a href="#fn4">4</a></sup> to XXX.XXX.183.110<br />Oct 26 09:53:32 charon: 12[IKE] <con1000|4> initiating Aggressive Mode IKE_SA con1000<sup><a href="#fn4">4</a></sup> to XXX.XXX.183.110<br />Oct 26 09:53:32 charon: 16[KNL] creating acquire job for policy XXX.XXX.180.42/32|/0 === XXX.XXX.183.110/32|/0 with reqid {2}<br />Oct 26 09:51:15 charon: 16[IKE] <con1000|3> establishing IKE_SA failed, peer not responding<br />Oct 26 09:51:15 charon: 16[IKE] <con1000|3> establishing IKE_SA failed, peer not responding<br />Oct 26 09:51:15 charon: 16[IKE] <con1000|3> giving up after 5 retransmits<br />Oct 26 09:51:15 charon: 16[IKE] <con1000|3> giving up after 5 retransmits<br />Oct 26 09:50:00 charon: 05[NET] error writing to socket: Can't assign requested address<br />...</p>
<p>If more debug information is needed, I can provide this.</p> pfSense - Bug #4845 (Confirmed): CARP preemption doesn't switch to backup where connectivity betw...https://redmine.pfsense.org/issues/48452015-07-15T22:39:20ZChris Buechlercbuechler@gmail.com
<p>Take a basic WAN and LAN setup, one CARP IP on each interface. If WAN's NIC loses link, the secondary system takes over master status on both CARP IPs, and the primary switches to backup. Instead of losing link, sever connectivity between the two while retaining the NIC's link. The secondary sees that and takes master status on all CARP IPs. But the primary doesn't switch to backup status, so you're left with dual master, and the resulting brokenness that entails.</p>
<p>This is the same behavior as FreeBSD 8.3, 10.1, 11, and OpenBSD 5.7, so just a general issue with CARP. Problematic especially in virtualization scenarios because the VM won't lose link when the hypervisor does, leaving the network broken upon loss of connectivity on one network.</p>