The pfSense Store

Author Topic: DHCP failover both in recover  (Read 124 times)

0 Members and 1 Guest are viewing this topic.

Offline Ap0p0

  • Newbie
  • *
  • Posts: 24
  • Karma: +0/-0
    • View Profile
DHCP failover both in recover
« on: December 03, 2017, 01:47:11 pm »
Hi all,

I'm trying to activate DHCP failover on a CARP LAN interface but both nodes are in recover / unknown peer state

node1 - node2 - VIP

10.6.0.1/16 - 10.6.0.2/16 - 10.6.0.3/16

node1 (primary) has 10.6.0.2 as failover peer, and pfsync put 10.6.01 as failover peer on node2 automatically.

Firewall rules are dynamically added:
pass in  quick on $GUESTS1006 proto { tcp udp } from 10.6.0.2 to 10.6.0.1 port = 519 tracker 1000013144 label "allow access to DHCP failover"
pass in  quick on $GUESTS1006 proto { tcp udp } from 10.6.0.2 to 10.6.0.1 port = 520 tracker 1000013145 label "allow access to DHCP failover"


and

pass in  quick on $GUESTS1006 proto { tcp udp } from 10.6.0.1 to 10.6.0.2 port = 519 tracker 1000013144 label "allow access to DHCP failover"
pass in  quick on $GUESTS1006 proto { tcp udp } from 10.6.0.1 to 10.6.0.2 port = 520 tracker 1000013145 label "allow access to DHCP failover"


Both nodes are NTP synced (same NTP servers)

Both dhcpd.conf seems to be OK too:
Quote
default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
one-lease-per-client true;
deny duplicates;
ping-check true;
update-conflict-detection false;
authoritative;
failover peer "dhcp_opt10" {
  primary;
  address 10.6.0.1;
  port 519;
  peer address 10.6.0.2;
  peer port 520;
  max-response-delay 10;
  max-unacked-updates 10;
  split 128;
  mclt 600;

  load balance max seconds 3;
}

subnet 10.6.0.0 netmask 255.255.0.0 {
   pool {
      option domain-name-servers 10.6.0.3;
      deny dynamic bootp clients;
      failover peer "dhcp_opt10";

      range 10.6.1.1 10.6.9.255;
   }

   option routers 10.6.0.3;
   option domain-name "office-people-doc.com";
   option domain-name-servers 10.6.0.3;
   max-lease-time 7200;

}

Quote
default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
one-lease-per-client true;
deny duplicates;
ping-check true;
update-conflict-detection false;
authoritative;
failover peer "dhcp_opt10" {
  secondary;
  address 10.6.0.2;
  port 520;
  peer address 10.6.0.1;
  peer port 519;
  max-response-delay 10;
  max-unacked-updates 10;
 
  load balance max seconds 3;
}

subnet 10.6.0.0 netmask 255.255.0.0 {
   pool {
      option domain-name-servers 10.6.0.3;
      deny dynamic bootp clients;
      failover peer "dhcp_opt10";

      range 10.6.1.1 10.6.9.255;
   }

   option routers 10.6.0.3;
   option domain-name "office-people-doc.com";
   option domain-name-servers 10.6.0.3;
   max-lease-time 7200;

}

I removed all DHCP lease on both nodes to have them clear, but no way. Both are staying in recover mode and does not serve IPs to clients. Where am I wrong? :-)

I can see that on both nodes, nothing is received/sent on port 519 and 520 on the LAN interface. I think that's the problem but why?

Offline Ap0p0

  • Newbie
  • *
  • Posts: 24
  • Karma: +0/-0
    • View Profile
Re: DHCP failover both in recover
« Reply #1 on: December 03, 2017, 04:20:05 pm »
I found something. Both nodes are unable to communicate between them.

SNAT on loopback is translated to "interface address" so it should be good.

I did a firewall alias with both real IPs 10.6.0.1 and 10.6.0.2 and I added a rule on interface "GUESTS1006" like:
any protocol source "alias" to interface address

no way! nodes can't ping each other.

By the way, I have an other interface with CARP, on other subnet and nodes can ping each other. I can't see difference... Both interface are VLAN, CARP configuration is exactly the same, SNAT too. Diff is on firewall rules but I tried a any2any rule on GUESTS1006 and does not work. No packets matches the rule, I can't explain.