Bug #14661
closed
``dpinger`` can unintentionally choose an IPv6 VIP for a monitoring source
0%
Description
Hello,
We have a pfSense cluster running with CARP and IPv6.
We noticed, that dpinger uses the CARP IP address as source address, on IPv6 only, with IPv4 dpinger uses the IP address from the interface and works as expected.
The backup node is not able to ping the desired gateways.
Files
Updated by Jim Pingle almost 2 years ago
- Subject changed from Dpinger uses CARP IP with IPv6 to ``dpinger`` can unintentionally choose an IPv6 VIP for a monitoring source
- Category changed from CARP to Gateway Monitoring
- Status changed from New to Feedback
I can't reproduce this here, dpinger is using the interface IPv6 address as expected. In the dpinger command line and also confirmed by packet capture.
That said, there are other cases where this has happened unpredictably (making it difficult to reproduce). See #14646 for a recent example, and #14392 which may also be similar.
It's worth checking the code around there to see if it may be using similar methods which might need adjusting.
It would help to know a couple things, though:
1. If you look at the process list (ps uxaww | grep dpinger) -- does the dpinger command for your IPv6 gateway show it using the VIP or the interface address?
2. If you look at Diagnostics > States and filter on the monitor IP address, what does the state look like? Does it show any NAT involved?
3. Do you have any NPt, outbound NAT, 1:1 NAT, or other NAT rules which may be causing the outbound ICMP6 traffic to be translated to the CARP VIP?
Updated by Hannes Scherbichler almost 2 years ago
- File 2023-08-08_14-49-23.png 2023-08-08_14-49-23.png added
In that screenshot you can see that dpinger is using the CARP IP on a IPv6 gateway.
And this happens with all IPv6 gateways.