Project

General

Profile

Actions
Copy link

Bug #11964

closed

pfBlocker XMLRPC sync CARP interface advskew

Added by Viktor Gurov almost 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
pfBlockerNG
Target version:
-
Start date:
05/26/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

https://forum.netgate.com/topic/163709/dns-resolver-not-listening-on-lan-carp-vip-after-update-to-2-5-1/8:

Just wanted to let you know the problem was with the pfBlocker XMLRPC SYNC: it is also synching the SKEW value of the
pfBlocker interface to the 2nd node which it should not (should remain more than the primary or 100 as default). Every 
complete reload/sync the CARP VIP is updated with a value of 0 hence it crashes shortly after. I posted this also in the 
pfBlockerNG group for clarity.

advskew must be increased before sync to the secondary node:
https://github.com/pfsense/pfsense/blob/360ed1660d8c050f9e3c05b0ce1476362a0fc4b0/src/etc/rc.filter_synchronize#L61

Actions
Copy link
 #1

Updated by Viktor Gurov almost 3 years ago

from https://forum.netgate.com/topic/163709/dns-resolver-not-listening-on-lan-carp-vip-after-update-to-2-5-1/7:

I tried several times disabling and re-enabling the CARP option in pfBlocker and every time it's enabled, the main IP (not the CARP VIP!) get's "lost" - this is the ifconfig of em1:

em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
...
inet 0.0.0.1 netmask 0xff000000 broadcast 0.255.255.255 vhid 1
...

As you can see, the inet 0.0.0.1 should be 192.168.0.252 /24 and has NO VHID (it's not a CARP interface!) but somehow "inherits" the pfBlocker one and the pfBlocker CARP iface has the proper but same VHID (which it should). All the other CARP interfaces are fine including the .254 on the same em0.

easy to reproduce by omitting `advskew` value,
i.e. "/sbin/ifconfig 'vtnet0' inet vhid 1 advskew advbase 1 pass '123'" ('ifconfig' issue?):

vtnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN
        options=800b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
        ether 32:59:a7:d8:30:b0
        inet6 fe80::3059:a7ff:fed8:30b0%vtnet0 prefixlen 64 scopeid 0x1
        inet6 fe80::1:1%vtnet0 prefixlen 64 duplicated scopeid 0x1
        inet 192.168.88.44 netmask 0xffffff00 broadcast 192.168.88.255 vhid 1
        inet 0.0.0.1 netmask 0xff000000 broadcast 0.255.255.255 vhid 1
        inet 10.10.10.1 netmask 0xffffffff broadcast 10.10.10.1 vhid 1
        carp: MASTER vhid 1 advbase 1 advskew 0
        media: Ethernet 10Gbase-T <full-duplex>
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

fix:
https://github.com/pfsense/FreeBSD-ports/pull/1071

Actions
Copy link
 #2

Updated by Jim Pingle almost 3 years ago

  • Status changed from New to Pull Request Review
Actions
Copy link
 #3

Updated by Renato Botelho over 2 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

Actions
Copy link
 #4

Updated by Azamat Khakimyanov over 2 years ago

  • Status changed from Feedback to Resolved

Tested on 21.05.2 and on 22.01-DEVELOPMENT (built on Sat Dec 04 06:21:33 UTC 2021)

With 'Enable Sync: Sync to host(s) defined below' DNSBL's CARP VIP (10.10.10.1/32) were synced to the Secondary node with correct 'advskew: 100'.

I'll mark this Bug as resolved.

Actions
Copy link

Also available in: Atom PDF