pfSense Support Subscription

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - viragomann

Pages: [1]
1
Deutsch / [Gelöst] Wake on LAN auf der Shell
« on: June 09, 2016, 07:58:27 am »
Weiß jemand von euch, wie man auf der Shell andere Rechner aufwecken kann.

Aus der help des wol-Befehls habe ich mir den Zeile
Code: [Select]
wol -i <Host-IP-Adresse> <Host-MAC-Adress>zusammengereimt. Der Befehl wird auch ohne Murren akzeptiert und mit
Code: [Select]
Waking up <Host-MAC-Adresse>...bestätigt, zum Leben erweckt er aber keinen meiner Rechner.  :(

Der Befehl wird übrigens auch akzeptiert, wenn man die -i Option samt IP Adresse weglässt, obwohl pfSense dann gar nicht wissen kann auf welchem Interface es das Magic Paket rausschicken soll. Die Angabe des Interface selbst wie in der GUI sieht der Befehl nicht vor.

2
Hi,

I've a problem with my remote access OpenVPN servers after upgrade to 2.3.1 from 2.3. The OpenVPN daemon fails at firewall boot up of 1 or 2 of my 3 OpenVPN servers running on WAN address 1194 - 1196. As a result the server status and connections can not be monitored. See attached picture below.

In the openvpn.log I get the massage
Code: [Select]
TCP/UDP: Socket bind failed on local address [AF_INET]<WAN address>:1196: Address already in use
The server is up anyway and accepts connections. In the log I also find
Code: [Select]
UDPv4 link local (bound): [AF_INET]<WAN address>:1196
But I can't see the server status and connected clients.

The box is part of a HA-system in CARP mode, the other one is still at 2.2.6 and held the master each time I rebooted this one.

If I disable all vpn servers before rebooting pfSense and enable them after again, everything works properly.

Anybody an idea how this could be resolved?

Here is the full openvpn.log of a firewall boot up:
Code: [Select]
May 20 12:38:12 firewall2 openvpn[3046]: event_wait : Interrupted system call (code=4)
May 20 12:38:12 firewall2 openvpn[3046]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 10.0.41.1 10.0.41.2 init
May 20 12:38:12 firewall2 openvpn[3046]: SIGTERM[hard,] received, process exiting
May 20 12:38:13 firewall2 openvpn[10019]: event_wait : Interrupted system call (code=4)
May 20 12:38:13 firewall2 openvpn[10019]: /usr/local/sbin/ovpn-linkdown ovpns2 1500 1558 10.0.42.1 10.0.42.2 init
May 20 12:38:13 firewall2 openvpn[10019]: SIGTERM[hard,] received, process exiting
May 20 12:38:13 firewall2 openvpn[31277]: OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
May 20 12:38:13 firewall2 openvpn[31277]: library versions: OpenSSL 1.0.1s-freebsd  1 Mar 2016, LZO 2.09
May 20 12:38:13 firewall2 openvpn[32944]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 20 12:38:13 firewall2 openvpn[32944]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
May 20 12:38:13 firewall2 openvpn[32944]: TUN/TAP device ovpns1 exists previously, keep at program end
May 20 12:38:13 firewall2 openvpn[32944]: TUN/TAP device /dev/tun1 opened
May 20 12:38:13 firewall2 openvpn[32944]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
May 20 12:38:13 firewall2 openvpn[32944]: /sbin/ifconfig ovpns1 10.0.41.1 10.0.41.2 mtu 1500 netmask 255.255.255.255 up
May 20 12:38:13 firewall2 openvpn[32944]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 10.0.41.1 10.0.41.2 init
May 20 12:38:13 firewall2 openvpn[32944]: UDPv4 link local (bound): [AF_INET]<WAN address>:1194
May 20 12:38:13 firewall2 openvpn[32944]: UDPv4 link remote: [undef]
May 20 12:38:13 firewall2 openvpn[32944]: Initialization Sequence Completed
May 20 12:38:13 firewall2 openvpn[12163]: event_wait : Interrupted system call (code=4)
May 20 12:38:13 firewall2 openvpn[12163]: /usr/local/sbin/ovpn-linkdown ovpns3 1500 1558 10.0.43.1 10.0.43.2 init
May 20 12:38:13 firewall2 openvpn[34223]: OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
May 20 12:38:13 firewall2 openvpn[34223]: library versions: OpenSSL 1.0.1s-freebsd  1 Mar 2016, LZO 2.09
May 20 12:38:13 firewall2 openvpn[35124]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 20 12:38:13 firewall2 openvpn[12163]: SIGTERM[hard,] received, process exiting
May 20 12:38:13 firewall2 openvpn[35124]: Control Channel Authentication: using '/var/etc/openvpn/server2.tls-auth' as a OpenVPN static key file
May 20 12:38:13 firewall2 openvpn[35124]: TUN/TAP device ovpns2 exists previously, keep at program end
May 20 12:38:13 firewall2 openvpn[35124]: TUN/TAP device /dev/tun2 opened
May 20 12:38:13 firewall2 openvpn[35124]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
May 20 12:38:13 firewall2 openvpn[35124]: /sbin/ifconfig ovpns2 10.0.42.1 10.0.42.2 mtu 1500 netmask 255.255.255.255 up
May 20 12:38:13 firewall2 openvpn[35124]: /usr/local/sbin/ovpn-linkup ovpns2 1500 1558 10.0.42.1 10.0.42.2 init
May 20 12:38:13 firewall2 openvpn[35124]: UDPv4 link local (bound): [AF_INET]<WAN address>:1195
May 20 12:38:13 firewall2 openvpn[35124]: UDPv4 link remote: [undef]
May 20 12:38:13 firewall2 openvpn[35124]: Initialization Sequence Completed
May 20 12:38:13 firewall2 openvpn[36863]: OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
May 20 12:38:13 firewall2 openvpn[36863]: library versions: OpenSSL 1.0.1s-freebsd  1 Mar 2016, LZO 2.09
May 20 12:38:13 firewall2 openvpn[36867]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 20 12:38:13 firewall2 openvpn[36867]: Control Channel Authentication: using '/var/etc/openvpn/server3.tls-auth' as a OpenVPN static key file
May 20 12:38:13 firewall2 openvpn[36867]: TUN/TAP device ovpns3 exists previously, keep at program end
May 20 12:38:13 firewall2 openvpn[36867]: TUN/TAP device /dev/tun3 opened
May 20 12:38:13 firewall2 openvpn[36867]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
May 20 12:38:13 firewall2 openvpn[36867]: /sbin/ifconfig ovpns3 10.0.43.1 10.0.43.2 mtu 1500 netmask 255.255.255.255 up
May 20 12:38:13 firewall2 openvpn[36867]: /usr/local/sbin/ovpn-linkup ovpns3 1500 1558 10.0.43.1 10.0.43.2 init
May 20 12:38:13 firewall2 openvpn[36867]: UDPv4 link local (bound): [AF_INET]<WAN address>:1196
May 20 12:38:13 firewall2 openvpn[36867]: UDPv4 link remote: [undef]
May 20 12:38:13 firewall2 openvpn[36867]: Initialization Sequence Completed
May 20 12:44:42 firewall2 openvpn[24631]: OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
May 20 12:44:42 firewall2 openvpn[24631]: library versions: OpenSSL 1.0.1s-freebsd  1 Mar 2016, LZO 2.09
May 20 12:44:42 firewall2 openvpn[23894]: OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
May 20 12:44:42 firewall2 openvpn[23212]: OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
May 20 12:44:42 firewall2 openvpn[23212]: library versions: OpenSSL 1.0.1s-freebsd  1 Mar 2016, LZO 2.09
May 20 12:44:42 firewall2 openvpn[23894]: library versions: OpenSSL 1.0.1s-freebsd  1 Mar 2016, LZO 2.09
May 20 12:44:42 firewall2 openvpn[25862]: OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
May 20 12:44:42 firewall2 openvpn[25389]: OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
May 20 12:44:42 firewall2 openvpn[25200]: OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
May 20 12:44:42 firewall2 openvpn[25389]: library versions: OpenSSL 1.0.1s-freebsd  1 Mar 2016, LZO 2.09
May 20 12:44:42 firewall2 openvpn[25862]: library versions: OpenSSL 1.0.1s-freebsd  1 Mar 2016, LZO 2.09
May 20 12:44:42 firewall2 openvpn[25200]: library versions: OpenSSL 1.0.1s-freebsd  1 Mar 2016, LZO 2.09
May 20 12:44:42 firewall2 openvpn[27205]: Could not retrieve default gateway from route socket:: No such process (errno=3)
May 20 12:44:42 firewall2 openvpn[27205]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 20 12:44:42 firewall2 openvpn[27768]: Could not retrieve default gateway from route socket:: No such process (errno=3)
May 20 12:44:42 firewall2 openvpn[27768]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 20 12:44:42 firewall2 openvpn[27392]: Could not retrieve default gateway from route socket:: No such process (errno=3)
May 20 12:44:42 firewall2 openvpn[27392]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 20 12:44:42 firewall2 openvpn[27445]: Could not retrieve default gateway from route socket:: No such process (errno=3)
May 20 12:44:42 firewall2 openvpn[27445]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 20 12:44:42 firewall2 openvpn[28060]: MANAGEMENT: Socket bind[5] failed on unix domain socket /var/etc/openvpn/server2.sock: Address already in use
May 20 12:44:42 firewall2 openvpn[28060]: Exiting due to fatal error
May 20 12:44:42 firewall2 openvpn[27497]: Could not retrieve default gateway from route socket:: No such process (errno=3)
May 20 12:44:42 firewall2 openvpn[27497]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 20 12:44:42 firewall2 openvpn[27205]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
May 20 12:44:42 firewall2 openvpn[27445]: Control Channel Authentication: using '/var/etc/openvpn/server2.tls-auth' as a OpenVPN static key file
May 20 12:44:42 firewall2 openvpn[27768]: Control Channel Authentication: using '/var/etc/openvpn/server3.tls-auth' as a OpenVPN static key file
May 20 12:44:42 firewall2 openvpn[27205]: Could not retrieve default gateway from route socket:: No such process (errno=3)
May 20 12:44:42 firewall2 openvpn[27445]: Could not retrieve default gateway from route socket:: No such process (errno=3)
May 20 12:44:42 firewall2 openvpn[27205]: TUN/TAP device ovpns1 exists previously, keep at program end
May 20 12:44:42 firewall2 openvpn[27768]: Could not retrieve default gateway from route socket:: No such process (errno=3)
May 20 12:44:42 firewall2 openvpn[27445]: TUN/TAP device ovpns2 exists previously, keep at program end
May 20 12:44:42 firewall2 openvpn[27205]: TUN/TAP device /dev/tun1 opened
May 20 12:44:42 firewall2 openvpn[27205]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
May 20 12:44:42 firewall2 openvpn[27768]: TUN/TAP device ovpns3 exists previously, keep at program end
May 20 12:44:42 firewall2 openvpn[27205]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
May 20 12:44:42 firewall2 openvpn[27445]: TUN/TAP device /dev/tun2 opened
May 20 12:44:42 firewall2 openvpn[27445]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
May 20 12:44:42 firewall2 openvpn[27205]: /sbin/ifconfig ovpns1 10.0.41.1 10.0.41.2 mtu 1500 netmask 255.255.255.255 up
May 20 12:44:42 firewall2 openvpn[27445]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
May 20 12:44:42 firewall2 openvpn[27768]: TUN/TAP device /dev/tun3 opened
May 20 12:44:42 firewall2 openvpn[27445]: /sbin/ifconfig ovpns2 10.0.42.1 10.0.42.2 mtu 1500 netmask 255.255.255.255 up
May 20 12:44:42 firewall2 openvpn[27768]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
May 20 12:44:42 firewall2 openvpn[27497]: Control Channel Authentication: using '/var/etc/openvpn/server3.tls-auth' as a OpenVPN static key file
May 20 12:44:42 firewall2 openvpn[27392]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
May 20 12:44:42 firewall2 openvpn[27768]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
May 20 12:44:42 firewall2 openvpn[27768]: /sbin/ifconfig ovpns3 10.0.43.1 10.0.43.2 mtu 1500 netmask 255.255.255.255 up
May 20 12:44:42 firewall2 openvpn[27497]: TCP/UDP: Socket bind failed on local address [AF_INET]<WAN address>:1196: Address already in use
May 20 12:44:42 firewall2 openvpn[27392]: TCP/UDP: Socket bind failed on local address [AF_INET]<WAN address>:1194: Address already in use
May 20 12:44:42 firewall2 openvpn[27497]: Exiting due to fatal error
May 20 12:44:42 firewall2 openvpn[27392]: Exiting due to fatal error
May 20 12:44:42 firewall2 openvpn[27445]: /usr/local/sbin/ovpn-linkup ovpns2 1500 1558 10.0.42.1 10.0.42.2 init
May 20 12:44:42 firewall2 openvpn[27768]: /usr/local/sbin/ovpn-linkup ovpns3 1500 1558 10.0.43.1 10.0.43.2 init
May 20 12:44:42 firewall2 openvpn[27205]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 10.0.41.1 10.0.41.2 init
May 20 12:44:42 firewall2 openvpn[27768]: UDPv4 link local (bound): [AF_INET]<WAN address>:1196
May 20 12:44:42 firewall2 openvpn[27768]: UDPv4 link remote: [undef]
May 20 12:44:42 firewall2 openvpn[27768]: Initialization Sequence Completed
May 20 12:44:42 firewall2 openvpn[27445]: UDPv4 link local (bound): [AF_INET]<WAN address>:1195
May 20 12:44:42 firewall2 openvpn[27445]: UDPv4 link remote: [undef]
May 20 12:44:42 firewall2 openvpn[27445]: Initialization Sequence Completed
May 20 12:44:42 firewall2 openvpn[27205]: UDPv4 link local (bound): [AF_INET]<WAN address>:1194
May 20 12:44:42 firewall2 openvpn[27205]: UDPv4 link remote: [undef]
May 20 12:44:42 firewall2 openvpn[27205]: Initialization Sequence Completed

3
IDS/IPS / CARP - Backup crashes while Suricata XMLRPC-Sync
« on: March 25, 2016, 09:54:47 am »
Hi,

I've a CARP setup running for years. Now the WebConfigurator at backup crashes when I save some changes in Suricata at Master. Suricata service is running at backup and the sync seems to complete successfully.

This is the corresponding summary of master system.log:
Code: [Select]
Mar 25 15:27:32 firewall1 check_reload_status: Syncing firewall
Mar 25 15:27:32 firewall1 php-fpm[79198]: /suricata/suricata_global.php: [suricata] XMLRPC sync is starting.
Mar 25 15:27:32 firewall1 php-fpm[79198]: /suricata/suricata_global.php: [suricata] XMLRPC sync sending auto-SID conf files to https://10.166.48.3:1111.
Mar 25 15:27:32 firewall1 php-fpm[79198]: /suricata/suricata_global.php: [suricata] XMLRPC sync sending auto-SID conf files to https://10.166.48.3:1111.
Mar 25 15:27:33 firewall1 php-fpm[79198]: /suricata/suricata_global.php: [suricata] XMLRPC sync sending auto-SID conf files to https://10.166.48.3:1111.
Mar 25 15:27:33 firewall1 php-fpm[79198]: /suricata/suricata_global.php: [suricata] XMLRPC sync auto-SID conf files success with https://10.166.48.3:1111 (pfsense.exec_php).
Mar 25 15:27:33 firewall1 php-fpm[79198]: /suricata/suricata_global.php: [suricata] Beginning package configuration XMLRPC sync to https://10.166.48.3:1111.
Mar 25 15:27:33 firewall1 php-fpm[79198]: /suricata/suricata_global.php: [suricata] Package configuration XMLRPC sync successfully completed with https://10.166.48.3:1111.
Mar 25 15:27:33 firewall1 php-fpm[79198]: /suricata/suricata_global.php: [suricata] XMLRPC sync sending reload configuration cmd set as a file to https://10.166.48.3:1111.
Mar 25 15:27:33 firewall1 php-fpm[79198]: /suricata/suricata_global.php: [suricata] XMLRPC sync reload configuration success with https://10.166.48.3:1111 (pfsense.exec_php).
Mar 25 15:27:33 firewall1 php-fpm[79198]: /suricata/suricata_global.php: [suricata] XMLRPC sync sending https://10.166.48.3:1111 cmd to execute configuration reload.
Mar 25 15:27:33 firewall1 php-fpm[79198]: /suricata/suricata_global.php: [suricata] XMLRPC sync reload configuration success with https://10.166.48.3:1111 (pfsense.exec_php).
Mar 25 15:27:33 firewall1 php-fpm[79198]: /suricata/suricata_global.php: [suricata] XMLRPC sync completed.
Mar 25 15:27:34 firewall1 php-fpm[97953]: /rc.filter_synchronize: Beginning XMLRPC sync to https://10.166.48.3:1111.
Mar 25 15:27:34 firewall1 php-fpm[97953]: /rc.filter_synchronize: An error code was received while attempting XMLRPC sync with username admin https://10.166.48.3:1111 - Code 2: Invalid return payload: enable debugging to examine incoming payload
Mar 25 15:27:34 firewall1 php-fpm[97953]: /rc.filter_synchronize: New alert found: An error code was received while attempting XMLRPC sync with username admin https://10.166.48.3:1111 - Code 2: Invalid return payload: enable debugging to examine incoming payload
Mar 25 15:27:35 firewall1 php-fpm[97953]: /rc.filter_synchronize: Message sent to admin@media-management.at OK
Mar 25 15:27:35 firewall1 php-fpm[97953]: /rc.filter_synchronize: Beginning XMLRPC sync to https://10.166.48.3:1111.
Mar 25 15:27:35 firewall1 check_reload_status: Reloading check_reload_status because it exited from an error!
Mar 25 15:27:35 firewall1 kernel: pid 94827 (check_reload_status), uid 0: exited on signal 10 (core dumped)
Mar 25 15:27:35 firewall1 check_reload_status: check_reload_status is starting.
Mar 25 15:27:35 firewall1 check_reload_status: fcgipath from environment /var/run/php-fpm.socket

Backup system.log:
Code: [Select]
Mar 25 15:27:33 firewall2 check_reload_status: Syncing firewall
Mar 25 15:27:33 firewall2 php: suricata_sync_cmds.php: [suricata] XMLRPC pkg sync: Update of downloaded rule sets requested...
Mar 25 15:27:33 firewall2 php: suricata_sync_cmds.php: [Suricata] Emerging Threats Open rules are up to date...
Mar 25 15:27:34 firewall2 php: suricata_sync_cmds.php: [Suricata] Snort VRT rules are up to date...
Mar 25 15:27:34 firewall2 php: suricata_sync_cmds.php: [Suricata] The Rules update has finished.
Mar 25 15:27:34 firewall2 check_reload_status: Syncing firewall
Mar 25 15:27:34 firewall2 php: suricata_sync_cmds.php: [suricata] XMLRPC pkg sync: Generating suricata.yaml file using Master Host settings...
Mar 25 15:27:34 firewall2 php: suricata_sync_cmds.php: [Suricata] Updating rules configuration for: DMZ ...
Mar 25 15:27:35 firewall2 kernel: pid 84359 (lighttpd), uid 0: exited on signal 11 (core dumped)
Mar 25 15:27:38 firewall2 php: suricata_sync_cmds.php: [Suricata] Enabling any flowbit-required rules for: DMZ...
Mar 25 15:27:38 firewall2 php: suricata_sync_cmds.php: [Suricata] Building new sid-msg.map file for DMZ...
Mar 25 15:27:39 firewall2 php: suricata_sync_cmds.php: [suricata] XMLRPC pkg sync: Checking Suricata status...
Mar 25 15:27:39 firewall2 php: suricata_sync_cmds.php: [suricata] XMLRPC pkg sync: Suricata is running...
Mar 25 15:27:39 firewall2 php: suricata_sync_cmds.php: [suricata] XMLRPC pkg sync process on this host is complete...

After that the backup WebGUI isn't accessible any more till I restart it from the console and the master reports an XMLRPC sync failure.
The last item I've changed in Suricata setup before this happens was the Snort VRT rule name to "snortrules-snapshot-2976.tar.gz", since the old didn't work any more.

All other XMLRPC syncs work without any issues.

Any idea how to resolve this?

4
Hi,

I run pfSense 2.2.2 on two DELL R210 II, BIOS 2.8.0.
As I tested shutdown command to shut off the machines in case of power failure at low UPS battery, I found out that the machines reboot on every second shutdown command. The other times it keeps off.

I've tested it with different command like halt -p, shutdown -p now, poweroff. It's the same with each of them.
It's also the same if I call halt from the console or GUI.

I'm not sure if it is a hardware issue. However, I have tested the shutdown also with Kanotix and Win 7 and here it works.

Can anyone confirm, this happens on specific hardware?

5
CARP/VIPs / CARP + NAT reflection - interface IP instead CARP IP
« on: January 16, 2015, 06:44:26 am »
Hi,

I have 2 pfSense boxes running in CARP mode which work as expected.
For accessing internal web services with external DNS informations I have activated NAT reflection in "NAT + Proxy" mode.

Now I have found that the services are accessed by the masters DMZ interface IP instead of CARP IP. So in case of a failover the connections will not be able to taken over by slave.

Anyone knows if it's possible to configure NAT reflection to use CARP IP?

6
Hello guys!

I have a very curious issue with pfSense.
I have two pfSense boxes running in CARP, master is version 2.1.2, backup is 2.1.3.
The backup blocks a particular IP on LAN interface. On master everything works fine. However, the machines are synced.

LAN net: x.x.3.0/24
LAN master: x.x.3.2
LAN backup: x.x.3.3
LAN CARP: x.x.3.1

In LAN net I have 4 hosts. Each host has access as expected except 1 with the IP x.x.3.110. Unfortunately this is our master DC.
Every packet from IP x.x.3.110 is blocked by the backup psSense. If the master is on there is no problem if I use the CARP IP, but if it's offline there is no access to and from the DC.

For analysis I have made tests with ping and captured the packets with pfSense.

ping from the affected host to LAN address of the backup pfSense looks like that:
Code: [Select]
13:18:58.820303 IP x.x.3.110 > x.x.3.3: ICMP echo request, id 512, seq 2816, length 40
13:19:04.238687 IP x.x.3.110 > x.x.3.3: ICMP echo request, id 512, seq 3072, length 40
13:19:09.738722 IP x.x.3.110 > x.x.3.3: ICMP echo request, id 512, seq 3328, length 40
13:19:15.238763 IP x.x.3.110 > x.x.3.3: ICMP echo request, id 512, seq 3584, length 40

There are no replies, however, in Logs I can see that ping is passed by rules.

ping from another host is okay. It get also replies:
Code: [Select]
13:18:17.447322 IP x.x.3.105 > x.x.3.3: ICMP echo request, id 768, seq 65057, length 40
13:18:17.447542 IP x.x.3.3 > x.x.3.105: ICMP echo reply, id 768, seq 65057, length 40
13:18:18.447440 IP x.x.3.105 > x.x.3.3: ICMP echo request, id 768, seq 65313, length 40
13:18:18.447509 IP x.x.3.3 > x.x.3.105: ICMP echo reply, id 768, seq 65313, length 40
13:18:19.447440 IP x.x.3.105 > x.x.3.3: ICMP echo request, id 768, seq 34, length 40
13:18:19.447625 IP x.x.3.3 > x.x.3.105: ICMP echo reply, id 768, seq 34, length 40

Also if I change the IP form x.x.3.110 to x.x.3.111 pfSense replies as it should:
Code: [Select]
13:25:03.854243 IP x.x.3.111 > x.x.3.3: ICMP echo request, id 512, seq 5888, length 40
13:25:03.854326 IP x.x.3.3 > x.x.3.111: ICMP echo reply, id 512, seq 5888, length 40
13:25:04.859727 IP x.x.3.111 > x.x.3.3: ICMP echo request, id 512, seq 6144, length 40
13:25:04.859839 IP x.x.3.3 > x.x.3.111: ICMP echo reply, id 512, seq 6144, length 40
13:25:05.865605 IP x.x.3.111 > x.x.3.3: ICMP echo request, id 512, seq 6400, length 40
13:25:05.865771 IP x.x.3.3 > x.x.3.111: ICMP echo reply, id 512, seq 6400, length 40

Can you tell me please what the hell is the reason for this strange behaviour?
I have no idea.

A solution will be as mentioned changing the IP of the DC. But to do so I have also to change the interface settings on every host in the network, cause this server makes DNS also. So I would rather reinstall pfSense. But maybe this will not resolve my issue.

Pages: [1]