From owner-freebsd-questions@FreeBSD.ORG  Thu May 28 06:55:06 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2DB28106564A
	for <freebsd-questions@freebsd.org>;
	Thu, 28 May 2009 06:55:06 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1::1])
	by mx1.freebsd.org (Postfix) with ESMTP id A161E8FC1C
	for <freebsd-questions@freebsd.org>;
	Thu, 28 May 2009 06:55:05 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	(authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id
	n4S6sht5037271; Thu, 28 May 2009 07:54:45 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.8.2 smtp.infracaninophile.co.uk n4S6sht5037271
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
	d=infracaninophile.co.uk; s=200708; t=1243493685;
	bh=KOcaad92C+EzTDzWQs7lv32aaTkgoR1Ht/hq120ezn4=;
	h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References:
	In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To:
	Message-ID:Mime-Version:References:To;
	z=Message-ID:=20<4A1E352E.7090208@infracaninophile.co.uk>|Date:=20T
	hu,=2028=20May=202009=2007:54:38=20+0100|From:=20Matthew=20Seaman=
	20<m.seaman@infracaninophile.co.uk>|Organization:=20Infracaninophi
	le|User-Agent:=20Thunderbird=202.0.0.21=20(X11/20090420)|MIME-Vers
	ion:=201.0|To:=20"Michael=20K.=20Smith=20-=20Adhost"=20<mksmith@ad
	host.com>|CC:=20freebsd-questions@freebsd.org|Subject:=20Re:=20Pro
	blems=20with=20IPv6=20CARP=20Interface=20in=20PF|References:=20<17
	838240D9A5544AAA5FF95F8D5203160605DAE7@ad-exh01.adhost.lan>|In-Rep
	ly-To:=20<17838240D9A5544AAA5FF95F8D5203160605DAE7@ad-exh01.adhost
	.lan>|X-Enigmail-Version:=200.95.6|Content-Type:=20multipart/signe
	d=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"application/pgp-
	signature"=3B=0D=0A=20boundary=3D"------------enig34DC904E37D115D1
	3472A69A";
	b=K31k7g7vMq02cXiWPWvzFjhziJtEIAICs4HbXweXkcaS6gKg6qzFTjm4DgiZI3fjO
	WhRZPJjfmfc/VFunS3PjoH9e4t28056plXJ4nXCPBYIkGuX76h2CJoulSQePYlJRTA
	309Y8ej+RHxXrIO1dGie2RA/Afb4k+7wATGna4vY=
X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host
	localhost [IPv6:::1] claimed to be
	happy-idiot-talk.infracaninophile.co.uk
Message-ID: <4A1E352E.7090208@infracaninophile.co.uk>
Date: Thu, 28 May 2009 07:54:38 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Thunderbird 2.0.0.21 (X11/20090420)
MIME-Version: 1.0
To: "Michael K. Smith - Adhost" <mksmith@adhost.com>
References: <17838240D9A5544AAA5FF95F8D5203160605DAE7@ad-exh01.adhost.lan>
In-Reply-To: <17838240D9A5544AAA5FF95F8D5203160605DAE7@ad-exh01.adhost.lan>
X-Enigmail-Version: 0.95.6
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="------------enig34DC904E37D115D13472A69A"
X-Virus-Scanned: clamav-milter 0.95.1 at
	happy-idiot-talk.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	happy-idiot-talk.infracaninophile.co.uk
Cc: freebsd-questions@freebsd.org
Subject: Re: Problems with IPv6 CARP Interface in PF
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2009 06:55:06 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig34DC904E37D115D13472A69A
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Michael K. Smith - Adhost wrote:
> Hello:
>=20
> I'm having reachability problems with a CARP interface set up on two 7.=
1
> boxes with an uplink to Cisco routers.  However, the inside CARP addres=
s
> on the same set of PF boxes are reachable with no trouble.  Here's the
> config.
>=20
> Cisco 		Cisco
>        HSRP Gateway
>             |
>        CARP Interface 1
> PF Box               PF Box
>        CARP Interface 2
>             |
>           Server
>=20
> When I try to ping CARP Interface 1 above from the Internet, I get no
> response.  When I ping the CARP Interface 2, which has a route set from=

> the Cisco's to CARP Interface 1, it works.  Here's what I see in my
> logs.
>=20
> 00:38:45.763975 IP6 fe80::203:6cff:fef9:2c00 > ff02::1:ff00:7: ICMP6,
> neighbor solicitation, who has 2001:4970:cccc::7, length 32
>=20
> ... with no response.
>=20
> Here is the ifconfig from one box.
>=20
> carp0: flags=3D49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
>         inet6 2001:4970:cccc::6 prefixlen 64
>         inet6 2001:4970:cccc::7 prefixlen 64
>         carp: MASTER vhid 1 advbase 1 advskew 100
> carp1: flags=3D49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
>         inet6 2001:4970:cccc:aaaa::1 prefixlen 64
>         carp: MASTER vhid 2 advbase 1 advskew 100
>=20
> and the other shows appropriately as "BACKUP".  There is no change if I=

> run with just one PF box.
>=20
> Any help would be greatly appreciated.

* Do you have PF rulesets written to take account of the CARP interfaces
  and IPs correctly?  You can say things like:

    pass in on carp0 proto icmp6 from any to { carp0 carp1 } keep state=20

  You may not need carp specific rules if the carp IP is from the same
  network as the IPs on the front interfaces of those PF boxes, and your
  rules are written to filter traffic crossing those interfaces by networ=
k
  (say) rather than by specific IP numbers. =20

  A good debugging trick is to make sure that all pf rules that block=20
  packets have a log clause, and then tcpdump pflog0 while doing your
  connectivity tests.  Immediately tells you if its PF blocking things
  rather than some other problem.

* I'm sure this is far too obvious, but in case you've tripped over this
  one accidentally:

    pass ... proto inet ....

  only allows IPv4.  Either drop the proto clause altogether, or add expl=
icit
  'proto inet6' rules.

* Have you tried tcpdump on the various physical and carp interfaces on t=
hose
  machines while trying to ping?  Probably the most interesting data to b=
e gleaned
  from that is if there are ping responses being sent, and what IP they o=
riginate
  from.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


--------------enig34DC904E37D115D13472A69A
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkoeNTMACgkQ8Mjk52CukIwkTQCeJIU2f0dlKkPyR9rA0Urn3gv0
gloAnRcIbG5kuLxIPFxjLIhh9rMvKsJT
=20wU
-----END PGP SIGNATURE-----

--------------enig34DC904E37D115D13472A69A--