Problems with IPv6 CARP Interface in PF
Matthew Seaman
m.seaman at infracaninophile.co.uk
Thu May 28 06:55:06 UTC 2009
Michael K. Smith - Adhost wrote:
> Hello:
>
> I'm having reachability problems with a CARP interface set up on two 7.1
> boxes with an uplink to Cisco routers. However, the inside CARP address
> on the same set of PF boxes are reachable with no trouble. Here's the
> config.
>
> Cisco Cisco
> HSRP Gateway
> |
> CARP Interface 1
> PF Box PF Box
> CARP Interface 2
> |
> Server
>
> When I try to ping CARP Interface 1 above from the Internet, I get no
> response. When I ping the CARP Interface 2, which has a route set from
> the Cisco's to CARP Interface 1, it works. Here's what I see in my
> logs.
>
> 00:38:45.763975 IP6 fe80::203:6cff:fef9:2c00 > ff02::1:ff00:7: ICMP6,
> neighbor solicitation, who has 2001:4970:cccc::7, length 32
>
> ... with no response.
>
> Here is the ifconfig from one box.
>
> carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
> inet6 2001:4970:cccc::6 prefixlen 64
> inet6 2001:4970:cccc::7 prefixlen 64
> carp: MASTER vhid 1 advbase 1 advskew 100
> carp1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
> inet6 2001:4970:cccc:aaaa::1 prefixlen 64
> carp: MASTER vhid 2 advbase 1 advskew 100
>
> and the other shows appropriately as "BACKUP". There is no change if I
> run with just one PF box.
>
> Any help would be greatly appreciated.
* Do you have PF rulesets written to take account of the CARP interfaces
and IPs correctly? You can say things like:
pass in on carp0 proto icmp6 from any to { carp0 carp1 } keep state
You may not need carp specific rules if the carp IP is from the same
network as the IPs on the front interfaces of those PF boxes, and your
rules are written to filter traffic crossing those interfaces by network
(say) rather than by specific IP numbers.
A good debugging trick is to make sure that all pf rules that block
packets have a log clause, and then tcpdump pflog0 while doing your
connectivity tests. Immediately tells you if its PF blocking things
rather than some other problem.
* I'm sure this is far too obvious, but in case you've tripped over this
one accidentally:
pass ... proto inet ....
only allows IPv4. Either drop the proto clause altogether, or add explicit
'proto inet6' rules.
* Have you tried tcpdump on the various physical and carp interfaces on those
machines while trying to ping? Probably the most interesting data to be gleaned
from that is if there are ping responses being sent, and what IP they originate
from.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090528/9d360efa/signature.pgp
More information about the freebsd-questions
mailing list