PfSense CARP VIP and Level 3 switch: unable to ping…
-
Hi everyone,
We have a problem to setup two pfsense with CARP VIPs.
The network configuration is not really complicated.
I have a subnet with public IPs: ..124.240/29
- Gateway: ..124.241
- WAN CARP VIP: ..124.242
- pfSense #1 WAN IP: ..124.243
- pfSense #2 WAN IP: ..124.244
And I have a private subnet: 172.16.0.0/24
- LAN CARP VIP: 172.16.0.1 (gateway)
- Switch Level 3: 172.16.0.3
- pfSense #1 LAN IP: 172.16.0.253
- pfsense #2 LAN IP: 172.16.0.252
I configured the sync' between the pfSense and it works through a dedicated interface (named "pfSync") with a private subnet 192.168.254.0/24: no problem here :)
I followed this tutorial to create my failover/redundancy system:
http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29
The pfSync part is ok, I create the CARP VIPs (LAN and WAN) and I setup the advanced outbound NAT like this:
Interface: LAN
Source: 172.16.0.0/24
Source port: *
Destination: *
Destination port: *
NAT address: 172.16.0.1
NAT port: *
Static port: NO(I followed this: "Edit the automatically added rule for LAN. Pick a shared CARP virtual IP address as the Translation IP address")
Now, the pfSense boxes are plugged on two level 3 switches (LAN side). An behind those switches, I have two level 2 switches.
With this configuration, a server which is plugged on a L2 switch cannot ping the 172.16.0.1 (LAN CARP VIP) but can ping 172.16.0.3 (L3 switch).
If I plug the same server on a L2 switch which is directly connected to the two pfSense boxes, I can ping the LAN CARP VIP.
So, I thought that the problem come from the Level 3 switch and indeed, I found that the Level 3 don't ping the LAN CARP VIP !
And I did something: I create a entry in the ARP table of my L3 switch: I indicated the LAN CARP VIP and the mac address assiocated and IT WORKED :)
Here is my problem: how the L3 and the pfSense boxes can communicate without create this entry ? How is it possible that my computer can ping the VIP but not my L3 ? My computer communicates on level 2 and is the only way to ping a CARP VIP ?
Thanks for your help.
-
So ARP is failing on the L3 switch, almost certainly because it isn't issuing an ARP request (otherwise it wouldn't be the only thing that didn't work). Maybe a conflicting IP or incorrect mask on the switch. Something in that switch's config isn't right.
-
Hi CMB,
Thanks for helping me.
Since I read your answer, I verified all my configuration on my L3 switch and I found nothing that can help me…
I did another test: I tried on the WAN CARP side and I have the same problem, we can't ping the ..124.242 but ..124.243 and ..124.244, yes, we can.
Indeed, the switch of my ISP can't find the WAN CARP. It is odd that our switches (mine and ISP's) can't ping those VIPs, no ? We both have misconfigured switches ?
-
I found something. The CARP is a multicast protocol and on my switch, multicast is not activated. Could the problem come from this ?
-
It's only multicast between the firewalls, that should have no implications on whether or not you get ARP from that IP.