pfBlocker XMLRPC sync CARP interface advskew
Just wanted to let you know the problem was with the pfBlocker XMLRPC SYNC: it is also synching the SKEW value of the pfBlocker interface to the 2nd node which it should not (should remain more than the primary or 100 as default). Every complete reload/sync the CARP VIP is updated with a value of 0 hence it crashes shortly after. I posted this also in the pfBlockerNG group for clarity.
advskew must be increased before sync to the secondary node:
Updated by Viktor Gurov 8 months ago
I tried several times disabling and re-enabling the CARP option in pfBlocker and every time it's enabled, the main IP (not the CARP VIP!) get's "lost" - this is the ifconfig of em1:
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
inet 0.0.0.1 netmask 0xff000000 broadcast 0.255.255.255 vhid 1
As you can see, the inet 0.0.0.1 should be 192.168.0.252 /24 and has NO VHID (it's not a CARP interface!) but somehow "inherits" the pfBlocker one and the pfBlocker CARP iface has the proper but same VHID (which it should). All the other CARP interfaces are fine including the .254 on the same em0.
easy to reproduce by omitting `advskew` value,
i.e. "/sbin/ifconfig 'vtnet0' inet vhid 1 advskew advbase 1 pass '123'" ('ifconfig' issue?):
vtnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: LAN options=800b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE> ether 32:59:a7:d8:30:b0 inet6 fe80::3059:a7ff:fed8:30b0%vtnet0 prefixlen 64 scopeid 0x1 inet6 fe80::1:1%vtnet0 prefixlen 64 duplicated scopeid 0x1 inet 192.168.88.44 netmask 0xffffff00 broadcast 192.168.88.255 vhid 1 inet 0.0.0.1 netmask 0xff000000 broadcast 0.255.255.255 vhid 1 inet 10.10.10.1 netmask 0xffffffff broadcast 10.10.10.1 vhid 1 carp: MASTER vhid 1 advbase 1 advskew 0 media: Ethernet 10Gbase-T <full-duplex> status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Updated by Azamat Khakimyanov about 2 months ago
- Status changed from Feedback to Resolved
Tested on 21.05.2 and on 22.01-DEVELOPMENT (built on Sat Dec 04 06:21:33 UTC 2021)
With 'Enable Sync: Sync to host(s) defined below' DNSBL's CARP VIP (10.10.10.1/32) were synced to the Secondary node with correct 'advskew: 100'.
I'll mark this Bug as resolved.