Project

General

Profile

Actions

Bug #14524

closed

Cannot select IP Alias VIP with CARP VIP parent in Virtual IP drop-down on Gateway Groups

Added by Jens Groh 11 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Gateways
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Default
Affected Version:
2.6.x
Affected Architecture:
All

Description

Running version: 23.05-plus
Affected: all? (as it's probably a UI issue)

Hi,

As this seems a clear UI issue/bug, we thought to file it directly here instead of going the normal route of creating a forum post. But as we see it in production on a customer system as well as in our testing lab, we proceeded to post it directly here.

For a customer we were trying to implement a failover IPsec tunnel via a DynDNS FQDN for the peer and a failover gateway group to set as "WAN" for that IPsec connection. To be able to create that failover, we have to select the specific VIP of the cluster but only the main VIP shows up as selection, as only CARP style Virtual IPs are listen in the drop down but not Aliases from those CARP VIPs. We need to be able to select one of those aliases! :)

Steps to reproduce:

  • 2x pfSense Plus 23.05 with all patches (2.7dev shows the same in testing), set up as cluster, cluster IP may be 192.0.2.5/29 & 192.0.2.6/29
  • create a CARP VIP on WAN1, e.g. 192.0.2.2
  • create an Alias on the beforementioned CARP IP (192.0.2.1) for 192.0.2.3
  • create additional Aliases like that, e.g. 192.0.2.4 (to use the whole /29 space)
  • do the same for a second WAN2, e.g. 198.51.100.1 to 198.51.100.3
  • head to System / Routing / Gateway Groups
  • create new gateway group
  • Check the Gateway priority. Set Tier 1 to WAN1's gateway, Tier 2 to WAN2's gateway
  • Now check the "Virtual IP" column: it only shows "Interface Address" and the primary VIP that was created with mode "CARP", but not the additional 2 VIPs, that are using Alias on CARP

Cross-Check:

  • edit one of those Alias VIPs from above to type "CARP" and set up correctly with a non-colliding VHID
  • check Status/CARP
  • Head back to System / Routing / Gateway Groups and edit the Failover Group
  • Check the dropdown, the newly modified CARP VIP shows up as expected, Alias'ed VIPs are still gone.

Could you please fix the selection/UI and make it possible for those "Alias'ed" CARP VIPs to show up? We'd badly need that to provide failover support for a IPsec VPN (on one IP) and for an inbound service behind the firewall (via a port forwarding) on another VIP for services. As we used the "default CARP VIP" for NAT (only), we can't currently proceed as we can't select the correct VIP for the service.

I hope we've provided everything to aid in checking for and correcting that bug, if there is any other intel needed, please avise.
Here are the production screen shots (blurred) from the situation. You can clearly see, that 3 VIPs are working fine, but only the CARP style VIP shows up in the dialog.

VIP config:
VIPs
CARP status:
CARP status
Gateway Group creation:
failover gateway configuration

We really hope there is a simple patch that can be applied for that problem instead having to wait for a new full release.

Thanks a lot!

Cheers
\jens (forum: jegr)


Files

clipboard-202306291539-ptjky.png (24.4 KB) clipboard-202306291539-ptjky.png VIPs Jens Groh, 06/29/2023 01:39 PM
clipboard-202306291540-1kmys.png (10.4 KB) clipboard-202306291540-1kmys.png CARP status Jens Groh, 06/29/2023 01:40 PM
clipboard-202306291541-rt60w.png (120 KB) clipboard-202306291541-rt60w.png failover gateway configuration Jens Groh, 06/29/2023 01:41 PM
Actions #2

Updated by Jens Groh 11 months ago

I made a small patch against the current stable (CE) repository.

Problem most certainly stems from util.inc (https://github.com/pfsense/pfsense/blob/master/src/etc/inc/util.inc) and will thus be present in either CE and Plus versions.

I think I identified the problem in build_vip_list() or better said in the selection of get_configured_vip_list() below the list function. The problem seems to stem from get_configured_vip_interface which calls get_configured_vip_detail which should reporting back the correct interface (WAN, etc). But for the Alias-on-CARP it reports the uniqid of the parent VIP (_vip<ID>) so the IF clause in function build_vip_list() filters it out - wrongly so - instead of checking the parent for selection.

I did a small quick an dirty patch to circumvent that with an additional "else"-clause in build_vip_list():

function build_vip_list($fif, $family = "all") {
        $list = array('address' => gettext('Interface Address'));

        $viplist = get_configured_vip_list($family);
        foreach ($viplist as $vip => $address) {
                if ($fif == get_configured_vip_interface($vip)) {
                        $list[$vip] = "$address";
                        if (get_vip_descr($address)) {
                                $list[$vip] .= " (". get_vip_descr($address) .")";
                        }
                }
                else { // MODIFICATION START
                        // only check Alias VIPs on CARP that return _vip* instead of an interface description
                        $parentif = get_configured_vip_interface($vip);
                        if (str_starts_with($parentif, "_vip")) {
                                if ($fif == get_configured_vip_interface($parentif)) {
                                        $list[$vip] = "$address";
                                        if (get_vip_descr($address)) {
                                                $list[$vip] .= " (". get_vip_descr($address) .")";
                                        }
                                }
                        }
                } // MODIFICATION END
        }

        return($list);
}

My clause only triggers, if the return value of the run is a String that starts with "_vip" thus indicating, that it is a "alias-on-carp" situation, as other VIPs are already filtered out by not being able to have VIPs (so no "other" and "Proxy ARP" types are present). So if the return value doesn't match the "$fif" (friendly interface name) it's checked once again, if it returns a "_vip<ID>" type string and this string is checked again for its parent. If the parent then matches the $fif before, then it's listed in the dropdown, otherwise the filter cuts it out. Perhaps there's a finer solution ;) but this seems to work right now in my lab environment, letting me select the needed Alias VIP and saving it correctly in the corresponding gateway group with the correct identifier.

Would also provide a pull request if needed!

Cheers
\jens

Actions #3

Updated by Jens Groh 11 months ago

Just wanted to add that the fix is working in a production setting on a customer's box running with multiple VIPs and updating DynDNS names according to the configured failover groups without a hitch. hopefully this can either be integrated or somehow incorporated in a "better"/cleaner way?

Actions #4

Updated by Jim Pingle 11 months ago

  • Target version set to 2.8.0
  • Plus Target Version set to 23.09

Can you submit that change as a pull request on Github?

https://docs.netgate.com/pfsense/en/latest/development/pull-request.html

Actions #5

Updated by Jens Groh 11 months ago

Will gladly try to send that in as a pull tomorrow.

Actions #6

Updated by Jens Groh 11 months ago

Actions #7

Updated by Jim Pingle 11 months ago

  • Status changed from New to Feedback
  • Assignee set to Jim Pingle

PR merged, thanks!

Actions #8

Updated by Anonymous 11 months ago

  • % Done changed from 0 to 100
Actions #9

Updated by Danilo Zrenjanin 10 months ago

  • Status changed from Feedback to Resolved

I have conducted tests on both versions 23.05 and 23.05.1 and can confirm that the patch is functioning properly as anticipated.

Ticket resolved.

Actions #10

Updated by Jim Pingle 9 months ago

  • Subject changed from Gateway Groups: Selection of CARP Aliases as Virtual IP not possible to Cannot select IP Alias VIP with CARP VIP parent in Virtual IP drop-down on Gateway Groups

Updating subject for release notes.

Actions #11

Updated by Jim Pingle 6 months ago

  • Target version changed from 2.8.0 to 2.7.1
Actions

Also available in: Atom PDF