Project

General

Profile

Actions

Bug #14524

closed

Cannot select IP Alias VIP with CARP VIP parent in Virtual IP drop-down on Gateway Groups

Added by Jens Groh over 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Gateways
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Default
Affected Version:
2.6.x
Affected Architecture:
All

Description

Running version: 23.05-plus
Affected: all? (as it's probably a UI issue)

Hi,

As this seems a clear UI issue/bug, we thought to file it directly here instead of going the normal route of creating a forum post. But as we see it in production on a customer system as well as in our testing lab, we proceeded to post it directly here.

For a customer we were trying to implement a failover IPsec tunnel via a DynDNS FQDN for the peer and a failover gateway group to set as "WAN" for that IPsec connection. To be able to create that failover, we have to select the specific VIP of the cluster but only the main VIP shows up as selection, as only CARP style Virtual IPs are listen in the drop down but not Aliases from those CARP VIPs. We need to be able to select one of those aliases! :)

Steps to reproduce:

  • 2x pfSense Plus 23.05 with all patches (2.7dev shows the same in testing), set up as cluster, cluster IP may be 192.0.2.5/29 & 192.0.2.6/29
  • create a CARP VIP on WAN1, e.g. 192.0.2.2
  • create an Alias on the beforementioned CARP IP (192.0.2.1) for 192.0.2.3
  • create additional Aliases like that, e.g. 192.0.2.4 (to use the whole /29 space)
  • do the same for a second WAN2, e.g. 198.51.100.1 to 198.51.100.3
  • head to System / Routing / Gateway Groups
  • create new gateway group
  • Check the Gateway priority. Set Tier 1 to WAN1's gateway, Tier 2 to WAN2's gateway
  • Now check the "Virtual IP" column: it only shows "Interface Address" and the primary VIP that was created with mode "CARP", but not the additional 2 VIPs, that are using Alias on CARP

Cross-Check:

  • edit one of those Alias VIPs from above to type "CARP" and set up correctly with a non-colliding VHID
  • check Status/CARP
  • Head back to System / Routing / Gateway Groups and edit the Failover Group
  • Check the dropdown, the newly modified CARP VIP shows up as expected, Alias'ed VIPs are still gone.

Could you please fix the selection/UI and make it possible for those "Alias'ed" CARP VIPs to show up? We'd badly need that to provide failover support for a IPsec VPN (on one IP) and for an inbound service behind the firewall (via a port forwarding) on another VIP for services. As we used the "default CARP VIP" for NAT (only), we can't currently proceed as we can't select the correct VIP for the service.

I hope we've provided everything to aid in checking for and correcting that bug, if there is any other intel needed, please avise.
Here are the production screen shots (blurred) from the situation. You can clearly see, that 3 VIPs are working fine, but only the CARP style VIP shows up in the dialog.

VIP config:
VIPs
CARP status:
CARP status
Gateway Group creation:
failover gateway configuration

We really hope there is a simple patch that can be applied for that problem instead having to wait for a new full release.

Thanks a lot!

Cheers
\jens (forum: jegr)


Files

clipboard-202306291539-ptjky.png (24.4 KB) clipboard-202306291539-ptjky.png VIPs Jens Groh, 06/29/2023 01:39 PM
clipboard-202306291540-1kmys.png (10.4 KB) clipboard-202306291540-1kmys.png CARP status Jens Groh, 06/29/2023 01:40 PM
clipboard-202306291541-rt60w.png (120 KB) clipboard-202306291541-rt60w.png failover gateway configuration Jens Groh, 06/29/2023 01:41 PM
Actions

Also available in: Atom PDF