From nobody Tue May 28 08:28:53 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VpQfB5SPDz5LkZQ for ; Tue, 28 May 2024 08:29:06 +0000 (UTC) (envelope-from aimass@yabarana.com) Received: from mail-io1-xd2b.google.com (mail-io1-xd2b.google.com [IPv6:2607:f8b0:4864:20::d2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VpQf95gDsz3xbl for ; Tue, 28 May 2024 08:29:05 +0000 (UTC) (envelope-from aimass@yabarana.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=yabarana-com.20230601.gappssmtp.com header.s=20230601 header.b=d+IlWRUR; dmarc=none; spf=pass (mx1.freebsd.org: domain of aimass@yabarana.com designates 2607:f8b0:4864:20::d2b as permitted sender) smtp.mailfrom=aimass@yabarana.com Received: by mail-io1-xd2b.google.com with SMTP id ca18e2360f4ac-7e24b38c022so18340039f.0 for ; Tue, 28 May 2024 01:29:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yabarana-com.20230601.gappssmtp.com; s=20230601; t=1716884944; x=1717489744; darn=freebsd.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=nOgPcYBEoy1CUMPaj4GRUwYijR5xrxTtuxqBKMZQdFU=; b=d+IlWRURZxFtR3/6VD6bmzijjfyconxCYy11B4tHannR6NuANsigNHziE8vJOI9rmZ SWO8LVg9IwH5IRvGZTefMN4YsvIcI9BAyFEpY7pg7Hbq6KRKtxTGFCQ+Wt+U8Mn9XFsl sxxMNb4e1EuR7heLl3TD7SoRb1hI4bPiecB4PclryPYT7JsLWOVijlOKAOogipwE90rO mKWFJc+rXg+0BOrPzJO0p+/0Jj1mbpTxNFDZb/LcwtvwnaOl4bgrd3nthU5g9QvkfZsj HV5iAnYtjrFB2h5z1KqxXEtrwgL99FAJNmiCWt1puEXG6/xRMIL1bBqK20ALf1JBF/Ni qJrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716884944; x=1717489744; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=nOgPcYBEoy1CUMPaj4GRUwYijR5xrxTtuxqBKMZQdFU=; b=UKsWK6snh0V9XQCiGfNU7mtbiqsRjPvgxCJeW0uPxlEq3DuyuFx60EUrkwihU1FpQK cqffxVZvtR5kgQlUZDSoQwe98TUjzZf8hZ5a1gns0eFpt95/KjZFTW8HcL+6zGFLxOiG 1eUTBJFXXEkF/NhnWgS86RrttXbADMdD+yeli1vmkc32kWqC0kt6uvlkoKJRuC1F4olH +ki3uKjPQNVVmd+dAiMZliBwkp2o6HnEzzhdn2HhOnq3L8RySrPeL0xR9sy2lj9PKPnd RqVcDPNYdUke/76bK60WPLA3AoYNQRdMBHGfYBRA+yzfMOHZ19RIv60pK243MlbMStem puxw== X-Gm-Message-State: AOJu0YxcRlviyMufyEFD6AlrD9GdDm5xOThfn6PhW1h0gR/a664THnGr Xava0VtHXarJEdhTxCNm9/OI4ZQbHd94NCqB3eCpqLimndmuzdsvLsgfpVIcx1QtBzwkfQ/dUat IyAas/B4XY4mGP0OjM+ilGfucJfGpki291BG5ud2NfYjj+yrue4g= X-Google-Smtp-Source: AGHT+IGwW8qBrONF/SOAkRkS4uFeZQ2nASRWHfYDMNxZmz2ucD7QwyPuKIziDqrAOrwlDw4l10i4vHqwrapOh6cOmcg= X-Received: by 2002:a05:6e02:1c23:b0:373:8d04:28a4 with SMTP id e9e14a558f8ab-3738d0429a9mr66132835ab.13.1716884944318; Tue, 28 May 2024 01:29:04 -0700 (PDT) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 From: Alejandro Imass Date: Tue, 28 May 2024 10:28:53 +0200 Message-ID: Subject: Cannot connect to master IPs from CARP backup To: FreeBSD Questions Content-Type: multipart/alternative; boundary="0000000000003a156606197f6d71" X-Spamd-Bar: - X-Spamd-Result: default: False [-1.50 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; HTTP_TO_IP(1.00)[]; URI_COUNT_ODD(1.00)[15]; NEURAL_HAM_SHORT(-1.00)[-0.999]; R_DKIM_ALLOW(-0.20)[yabarana-com.20230601.gappssmtp.com:s=20230601]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::d2b:from]; MISSING_XM_UA(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; RCVD_TLS_LAST(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; DMARC_NA(0.00)[yabarana.com]; TO_DN_ALL(0.00)[]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[yabarana-com.20230601.gappssmtp.com:+] X-Rspamd-Queue-Id: 4VpQf95gDsz3xbl --0000000000003a156606197f6d71 Content-Type: text/plain; charset="UTF-8" Hi, I have a CARP setup which works as expected except that from the backup server, it is impossible to connect to VIPs on the master. I have read several similar threads: https://www.reddit.com/r/PFSENSE/comments/15s6e8j/carp_backup_node_unable_to_ping_vips/ https://forums.freebsd.org/threads/carp-problem-ping-only-works-from-the-master-itself.14986/ https://forums.freebsd.org/threads/pf-carp-cant-ping-vip.6039/ My situation is specifically: - CARP works, and failover works - I can ping the master VIP from any other server on the LAN - Ping only fails from inside the backup server, if and only if, the backup IPs are up in backup state My configuration is based on jails: ip6 = disable; interface = em1; ip4.addr = 10.77.3.11/22; ip4.addr += "10.77.0.100/22 vhid 10 advbase 1 advskew 100 pass yuca"; ip4.addr += "10.77.0.101/22 vhid 138 advbase 1 advskew 100 pass yuca"; I do notice a warning each time saying this: invalid netmask '/22 vhid 138 advbase 1 advskew 0 pass yuca' I'm using Bastille jails and haven't looked deeply into the error above because since ifconfig shows the interface properly configured. But perhaps this is an important clue? I have tried /32 netmask, broadcast to the specific CARP IPs, promiscuous mode and almost anything I can think of, and in every combination CARP seems to work fine except for this one issue where I cannot connect to the VIPs from the backup whilst in backup mode. I have tcp dumped arp traffic and the arp tables everywhere seem correct, even in the backup server, with and without the VIPs active on the backup. Here is one additional clue and not sure if this is relevant. When I use CARP alias in the jails as specified above, and I run PostgreSQL with listen * then I notice that it binds to *:5432 on the base host and not on the specific jail IPs like a normal jail would do if I did not use the alias. It has made me wonder if something Bastille does is conflicting with the CARP aliases I am setting up above. But since everything else works as expected I really haven't delved deep into Bastille does for NIC aliases. Version is 14.0-RELEASE standard kernel and everything else is pretty standard. Any help or ideas greatly appreciated !! Best, -- Alex --0000000000003a156606197f6d71 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

I have a CARP setup which works as = expected except that from the backup server, it is impossible to connect to= VIPs on the master. I have read several similar threads:


My situation is specifically:<= /div>
  • CARP works, and failover works
  • I can ping the= master VIP from any other server on the LAN
  • Ping only fails from i= nside the backup server, if and only if, the backup IPs are up in backup st= ate
My configuration is based on jails:

<= /div>
=C2=A0 ip6 =3D disable;
=C2=A0 interface =3D em1;=C2=A0 ip4.addr =3D 10.77.3.11/22;=C2=A0 ip4.addr +=3D "10.77.0.100/= 22 vhid 10 advbase 1 advskew 100 pass yuca";
=C2=A0 ip4.addr += =3D "10.77.0.101/22 vhid 138 adv= base 1 advskew 100 pass yuca";

I do notic= e a warning each time saying this:
invalid netmask '/22 vhid = 138 advbase 1 advskew 0 pass yuca'

I'm= using Bastille jails and haven't looked deeply into the error above be= cause since ifconfig shows the interface properly configured. But perhaps t= his is an important clue?

I have tried /32 netmask= , broadcast to the specific CARP IPs, promiscuous mode and almost anything = I can think of, and in every combination CARP seems to work fine except for= this one issue where I cannot connect to the VIPs from the backup whilst= =C2=A0in backup mode.

I have tcp dumped arp traffi= c and the arp tables everywhere seem correct, even in the backup server, wi= th and without the VIPs active on the backup.=C2=A0

Here is one additional clue and not sure if this is relevant. When I use = CARP alias in the jails as specified above, and I run PostgreSQL with liste= n * then I notice that it binds to *:5432 on the base host and not on the s= pecific jail IPs like a normal jail would do if I did not use the alias. It= has made me wonder if something Bastille does is conflicting with the CARP= aliases I am setting up above. But since everything else works as expected= I really haven't delved deep into Bastille does for NIC aliases.=C2=A0=

Version is=C2=A014.0-RELEASE standard kernel and = everything else is pretty standard.

Any help or id= eas greatly appreciated=C2=A0!!

Best,
--=C2=A0
Alex



--0000000000003a156606197f6d71--