Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense CARP VIP and Level 3 switch: unable to ping…

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    5 Posts 2 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      Yoann
      last edited by

      Hi everyone,

      We have a problem to setup two pfsense with CARP VIPs.

      The network configuration is not really complicated.

      I have a subnet with public IPs: ..124.240/29

      • Gateway: ..124.241
      • WAN CARP VIP: ..124.242
      • pfSense #1 WAN IP: ..124.243
      • pfSense #2 WAN IP: ..124.244

      And I have a private subnet: 172.16.0.0/24

      • LAN CARP VIP: 172.16.0.1 (gateway)
      • Switch Level 3: 172.16.0.3
      • pfSense #1 LAN IP: 172.16.0.253
      • pfsense #2 LAN IP: 172.16.0.252

      I configured the sync' between the pfSense and it works through a dedicated interface (named "pfSync") with a private subnet 192.168.254.0/24: no problem here :)

      I followed this tutorial to create my failover/redundancy system:

      http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29

      The pfSync part is ok, I create the CARP VIPs (LAN and WAN) and I setup the advanced outbound NAT like this:

      Interface: LAN
      Source: 172.16.0.0/24
      Source port: *
      Destination: *
      Destination port: *
      NAT address: 172.16.0.1
      NAT port: *
      Static port: NO

      (I followed this: "Edit the automatically added rule for LAN. Pick a shared CARP virtual IP address as the Translation IP address")

      Now, the pfSense boxes are plugged on two level 3 switches (LAN side). An behind those switches, I have two level 2 switches.

      With this configuration, a server which is plugged on a L2 switch cannot ping the 172.16.0.1 (LAN CARP VIP) but can ping 172.16.0.3 (L3 switch).

      If I plug the same server on a L2 switch which is directly connected to the two pfSense boxes, I can ping the LAN CARP VIP.

      So, I thought that the problem come from the Level 3 switch and indeed, I found that the Level 3 don't ping the LAN CARP VIP !

      And I did something: I create a entry in the ARP table of my L3 switch: I indicated the LAN CARP VIP and the mac address assiocated and IT WORKED :)

      Here is my problem: how the L3 and the pfSense boxes can communicate without create this entry ? How is it possible that my computer can ping the VIP but not my L3 ? My computer communicates on level 2 and is the only way to ping a CARP VIP ?

      Thanks for your help.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        So ARP is failing on the L3 switch, almost certainly because it isn't issuing an ARP request (otherwise it wouldn't be the only thing that didn't work). Maybe a conflicting IP or incorrect mask on the switch. Something in that switch's config isn't right.

        1 Reply Last reply Reply Quote 0
        • Y
          Yoann
          last edited by

          Hi CMB,

          Thanks for helping me.

          Since I read your answer, I verified all my configuration on my L3 switch and I found nothing that can help me…

          I did another test: I tried on the WAN CARP side and I have the same problem, we can't ping the ..124.242 but ..124.243 and ..124.244, yes, we can.

          Indeed, the switch of my ISP can't find the WAN CARP. It is odd that our switches (mine and ISP's) can't ping those VIPs, no ? We both have misconfigured switches ?

          1 Reply Last reply Reply Quote 0
          • Y
            Yoann
            last edited by

            I found something. The CARP is a multicast protocol and on my switch, multicast is not activated. Could the problem come from this ?

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              It's only multicast between the firewalls, that should have no implications on whether or not you get ARP from that IP.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.