Project

General

Profile

Bug #11964

pfBlocker XMLRPC sync CARP interface advskew

Added by Viktor Gurov 22 days ago. Updated 21 days ago.

Status:
Pull Request Review
Priority:
Normal
Assignee:
-
Category:
pfBlockerNG
Target version:
-
Start date:
05/26/2021
Due date:
% Done:

0%

Estimated time:
Affected Version:
Affected Architecture:

Description

https://forum.netgate.com/topic/163709/dns-resolver-not-listening-on-lan-carp-vip-after-update-to-2-5-1/8:

Just wanted to let you know the problem was with the pfBlocker XMLRPC SYNC: it is also synching the SKEW value of the
pfBlocker interface to the 2nd node which it should not (should remain more than the primary or 100 as default). Every 
complete reload/sync the CARP VIP is updated with a value of 0 hence it crashes shortly after. I posted this also in the 
pfBlockerNG group for clarity.

advskew must be increased before sync to the secondary node:
https://github.com/pfsense/pfsense/blob/360ed1660d8c050f9e3c05b0ce1476362a0fc4b0/src/etc/rc.filter_synchronize#L61

History

#1 Updated by Viktor Gurov 21 days ago

from https://forum.netgate.com/topic/163709/dns-resolver-not-listening-on-lan-carp-vip-after-update-to-2-5-1/7:

I tried several times disabling and re-enabling the CARP option in pfBlocker and every time it's enabled, the main IP (not the CARP VIP!) get's "lost" - this is the ifconfig of em1:

em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
...
inet 0.0.0.1 netmask 0xff000000 broadcast 0.255.255.255 vhid 1
...

As you can see, the inet 0.0.0.1 should be 192.168.0.252 /24 and has NO VHID (it's not a CARP interface!) but somehow "inherits" the pfBlocker one and the pfBlocker CARP iface has the proper but same VHID (which it should). All the other CARP interfaces are fine including the .254 on the same em0.

easy to reproduce by omitting `advskew` value,
i.e. "/sbin/ifconfig 'vtnet0' inet vhid 1 advskew advbase 1 pass '123'" ('ifconfig' issue?):

vtnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN
        options=800b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
        ether 32:59:a7:d8:30:b0
        inet6 fe80::3059:a7ff:fed8:30b0%vtnet0 prefixlen 64 scopeid 0x1
        inet6 fe80::1:1%vtnet0 prefixlen 64 duplicated scopeid 0x1
        inet 192.168.88.44 netmask 0xffffff00 broadcast 192.168.88.255 vhid 1
        inet 0.0.0.1 netmask 0xff000000 broadcast 0.255.255.255 vhid 1
        inet 10.10.10.1 netmask 0xffffffff broadcast 10.10.10.1 vhid 1
        carp: MASTER vhid 1 advbase 1 advskew 0
        media: Ethernet 10Gbase-T <full-duplex>
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

fix:
https://github.com/pfsense/FreeBSD-ports/pull/1071

#2 Updated by Jim Pingle 21 days ago

  • Status changed from New to Pull Request Review

Also available in: Atom PDF