# carp fails when firewall enabled



## rtt010567 (Jul 19, 2011)

I have carp and pfsync working flawless on two 8.2 machines, each with two network interfaces and configured as firewalls/routers.

It works perfectly AS LONG AS BOTH MACHINES BOOT WITH FIREWALL SET TO "OPEN". (My kernel was built WITHOUT IPFIREWALL_DEFAULT_TO_ACCEPT so default is to deny).

The problem occurs as soon as I turn on the default "SIMPLE" firewall on the master (and leave the backup machine's firewall "OPEN"). At that point, the backup machine thinks it is the master and takes charge even though the master is still running. Moreover, the master still thinks it's in charge, so I now have two competing masters which obviously doesn't work.

To summarise: turning on the "SIMPLE" firewall (which works as expected otherwise) on the master blocks the carp protocol somehow. Of course, I have tried adding all manner of rules to my rc.firewall to enable carp/pfsync, but none of these have any effect:


```
${fwcmd} add pass carp from any to any
${fwcmd} add pass carp from any to any setup
${fwcmd} add pass carp from any to any established
${fwcmd} add pass carp from any to any keep-state
${fwcmd} add pass pfsync from any to any
${fwcmd} add pass pfsync from any to any setup
${fwcmd} add pass pfsync from any to any established
${fwcmd} add pass pfsync from any to any keep-state
```
The TRULY WEIRD thing is that carp remains wedged on both machines even after I explictly reset the master's firewall to "OPEN", as in:

`sh /etc/rc.firewall open >&/dev/null`

The only way to get them back to their original working state is to reboot the master (again, configured to come up with the firewall enabled but "OPEN"). 

Has anyone gotten carp to work with the firewall(s) enabled?

Stumped.

Thanks,

Rick


----------



## pbd (Jul 26, 2011)

Obviously some rule is blocking outgoing CARP/VRRP packets from master. Can you post your full ruleset?


```
ipfw -a list
```

Or alternatively add _log_ option to all rules to see what is going on..


----------



## plamaiziere (Jul 27, 2011)

rtt010567 said:
			
		

> I have carp and pfsync working flawless on two 8.2 machines, each with two network interfaces and configured as firewalls/routers.
> 
> It works perfectly AS LONG AS BOTH MACHINES BOOT WITH FIREWALL SET TO "OPEN". (My kernel was built WITHOUT IPFIREWALL_DEFAULT_TO_ACCEPT so default is to deny).



I don't think pfsync works with ipfw. So the first step is to turn it off and use pf instead.


----------



## rtt010567 (Jul 31, 2011)

*solved: carp works with pf, not ipfw*



> I don't think pfsync works with ipfw. So the first step is to turn it off and use pf instead.



That was the answer.

I rebuilt my kernel without IPFIREWALL and borrowed a canned set of rules from here:

https://sites.google.com/site/clickdeathsquad/Home/cds-bsdfirewall

and added these rules as per the instructions regarding the use of carp with pfsync from the pfsync(4) man page:


```
pass quick on { sis2 } proto pfsync
           pass on { sis0 sis1 } proto carp
```

Thanks.

R


----------

