Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 25 subscribers
  • Views 6915 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Link Aggregation (LACP) MAC changing on reboot

Marc Herndon

I'm trying to figure out how to solve a problem that admittedly is not due to Sophos XG, but I believe XG might be able to provide a solution and was looking for some advice.

The problem is that I have a FreeNAS server set up for link aggregation with the LACP protocol, and it seems to acquire a random one of the member ports' MAC addresses every time the server reboots.  I have a static DHCP reservation on the XG for one of the MACs, so it works great when that MAC gets chosen, otherwise an arbitrary dynamic IP gets assigned if it's the other MAC and none of my clients can reach the server.

On the Sophos side, it obviously does not allow me to reserve the same static IP address for two different MAC addresses, which would be an easy fix to this issue.  It would be great if XG would allow you to do that and just give you some kind of "this is probably a terrible idea, make sure you know what you're doing" warning, instead of a hard failure.  In scenarios like I describe above, it's impossible that both MACs would ever be seen by the XG at the same time - maybe this could even be forced by manually editing a config file to enter the overlapping reservation?  Bad idea?

The other thought I had was if there is a way to clone all traffic from one IP to another IP?  Essentially for all traffic LAN-to-LAN, if the destination IP is X.X.X.11 *or* X.X.X.10, clone the traffic and deliver it to both IPs?  I was thinking there could even be a legitimate use for something like that unrelated to my issue, for example to run wireshark on one of the two IPs, while allowing normal traffic to reach the other IP.  If something like this cloning rule is possible, could it work from WAN to LAN as well if I have business rules to forward ports?  For example the business rule might forward traffic on port 80 to X.X.X.10, and then the LAN cloning rule would kick in and deliver that traffic to both IPs on port 80?

It sounds pretty ridiculous even typing out the above, but I'm grasping for any workaround I can at this point.  The advice on the FreeNAS forum was essentially "disable LACP, it's not needed in a home environment" (which I admit, is true, but simultaneously unhelpful).  If there's no other solution, I'll just configure the server with a static IP instead of using static DHCP reservations, but I was hoping there would be another way.  Thanks in advance for any help.



This thread was automatically locked due to age.
  • 0

    Marc,

    We can have different types of lacp modes.

    I suggest you to configure lag on your XG firewall, put 2 interfaces in it and choose lacp mode. Here the Sophos Kb:

  • 0 in reply to lferrara

    I appear to have misled you in my initial question.  My server is not connected directly to the XG as a LAG.  My server has an LACP LAG to a level 2 switch, and that in turn has a single connection to Port 1 (LAN port) on the XG.  When the server calls the DHCP server on the XG for an IP, it's chosen one of the two MACs randomly for the LAG interface, which is the root of the problem.

    I'm hoping the FreeNAS folks will have a workaround for this, but in the event they can't help me I was wondering what, if anything, can be done in XG?  Being able to tell it "if you see either of these two MACs, assign them this static IP" would be perfect, because both MACs can never be online at the same time, but it's not allowed by the GUI.  Could it possibly be forced in a config file, or would it break things?

    Thanks,
    Marc

  • 0 in reply to Marc Herndon

    Marc,

    did you configure the LACP on the Switch?

    If you have configured the LACP correctly even on Switch, XG will see only one mac-address (if the server is exposing one virtual mac).

    On XG you can assign DHCP static mapping under Network > DHCP > DHCP Server but I am not sure if you can assign 2 different MAC Entries to the same IP.

    Thanks

  • 0 in reply to lferrara

    Yes this is exactly my problem.  LACP is configured correctly on the switch and server.  XG only ever sees 1 MAC.  The problem is that the MAC is randomly selected by the server when it boots up.

    I have DHCP static reservation exactly as you describe, but the XG GUI will not allow you to reserve the same IP for more than one MAC.

    Hence the root of my question, is it possible to override that behavior in a config file somewhere, ie: work around the GUI?  Or the other even crazier question, is it possible to write a rule that clones traffic to more than one IP?

    Again I apologize as this is not at all a Sophos problem, it's really a limitation of FreeNAS, but I'm reaching out for workarounds in case they're unable or unwilling to fix it.

    Thanks!

  • +1 in reply to Marc Herndon

    Marc the problem is on your server. You cannot do any of the described MAC-Address tricks on XG.

    Cloning traffic is a feature available on switches (Port mirroring or span port) but not on XG.

    Regards

  • 0 in reply to lferrara

    Thank you for the confirmation. I fully understand the problem is on the server, I was just hoping XG might have a truck up its sleeve to bail me out. :)

    Note that I know there's no workaround in XG, I'll have to double down on fixing the root issue in FreeNAS.  Thanks!