New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DHCP Failover Peer IP is not correctly synced over XMLRPC if larger matching subnet appears before correct one in route table #5002
Comments
this likely needs more info, core/src/etc/rc.filter_synchronize Lines 186 to 194 in 25959a4
Relevant parts are the interface configuration and logical mapping (lan, wan, opt) of the master machine. |
not really, the matching issue might be related to one of the other interfaces or routes. At a first glance guess_interface_from_ip first checks netstat and if that doesn't work asks local routing.
Might shed more light on it. |
root@scylla:~ # /usr/bin/netstat -rnWf inet Internet: |
it doesn't have anything todo with the netmask, |
No, only if you don't use them |
So, it's a bug because the first match wins, instead of the most specific match? |
It's an omission, but also quite a specific edge case. Guessing networks will never be perfect, I'm not sure we should try to add more logic here to be honest. |
I'm not sure it should be an edge case. |
I don't see this as an edge case. We have a number of firewalls with a 172.16.0.0/13 route related to an OpenVPN tunnel. We have others with static routes for 172.16.0.0/12 or other RFC1918 supernets. Because these show up in the routing table before the appropriate route and the DHCP server's IP is within the larger subnet, we're getting the wrong IP in our DHCP server configuration on the secondary DHCP server. I think logic should be added to allow |
Swapping the existing function guess_interface_from_ip($ipaddress)
{
if (is_ipaddrv4($ipaddress)) {
$family = "inet";
} elseif (is_ipaddrv6($ipaddress)) {
$family = "inet6";
} else {
return false;
}
/* create a route table we can search */
exec("/usr/bin/netstat -rnWf " . $family, $output, $ret);
/* search for the route with the largest subnet mask */
$largest_mask = 0;
$best_if = null;
foreach ($output as $line) {
$fields = preg_split("/\s+/", $line);
if (is_subnet($fields[0])) {
if (ip_in_subnet($ipaddress, $fields[0])) {
list($ip, $mask) = explode('/', $subnet);
if ($mask > $largest_mask) {
$best_if = $fields[5];
$largest_mask = $mask;
}
}
}
}
if isset($best_if) {
return $best_if;
}
$ret = exec_command("/sbin/route -n get {$ipaddress} | /usr/bin/awk '/interface/ { print \$2; };'");
if (empty($ret)) {
return false;
}
return $ret;
} |
I also suggest the title of this issue be changed to: DHCP Failover Peer IP is not correctly synced over XMLRPC if larger matching subnet appears before correct one in route table |
@jasonpcrowley just open a PR (mind the typo in |
I have submitted PR #5281 to resolve this issue. |
In case anyone wants to try @jasonpcrowley's work, on OPNsense 21.7.3 you should be able to pull the patch using
|
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
I have multiple DHCP networks that sync over XMLRPC.
On network 1, primary IP is 10.0.0.2, secondary ip is 10.0.0.3, network is 10/24, I have configured 10.0.0.3 on primary, and the secondary syncs that as 10.0.0.2, which is ok.
On network 2, primary IP is 10.0.2.130, secondary ip is 10.0.2.131, network is 10.0.2.128/25, I have configured 10.0.2.131 on primary, and the secondary syncs that as 127.0.0.1, which is wrong.
On network 3, primary IP is 10.0.2.18, secondary ip is 10.0.2.19, network is 10.0.2.16/28, I have configured 10.0.2.19 on primary, and the secondary syncs that as 127.0.0.1, which is also wrong.
So it seems to me that it doesn't find the correct interface if the subnet mask is not /24 or something like that.
Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The DHCP peer IP on the slave should be the IP of the primary DHCP
Describe alternatives you considered
Correct it manually and disable XMLRPC
Screenshots
DHCP peer IP on primary
DHCP peer IP on slave
Relevant log files
If applicable, information from log files supporting your claim.
Additional context
Add any other context about the problem here.
Environment
Software version used and hardware type if relevant, e.g.:
OPNsense 21.1.5-amd64
FreeBSD 12.1-RELEASE-p16-HBSD
OpenSSL 1.1.1k 25 Mar 2021
The text was updated successfully, but these errors were encountered: