Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pings to the internet stop after a CARP faillover

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    5 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      grahambmtw
      last edited by

      This is my setup:

      Everything is running inside a new VMware vSphere environment

      WAN
      WAN Virtual CARP IP: x.x.x.190
      PFSense 1 WAN: x.x.x.188
      PFSense 2 WAN: x.x.x.189

      LAN
      LAN Virtual CARP IP: 192.168.110.253/24
      PFSense 1 LAN: 192.168.110.251
      PFSense 2 LAN: 192.168.110.252

      PFSense 1 is the master and all settings are set to sync over a separate network between the two firewalls (pfsync) – this is working as changes made to pfsense 1 are replicated to pfsense 2

      Workstation 1 (Windows)
      192.168.110.4/24
      Gateway: 192.168.110.253 (The LAN Virtual CARP IP

      The problem
      On Workstation 1 I set a constant ping to 8.8.8.8 (Google’s public DNS)
      On Workstation 1 I set a constant ping to 192.168.110.253 (The virtual LAN IP)

      I “unplug” PFSense 1 and PFSense 2 becomes the master but the pings to 8.8.8.8 stop and don’t continue.

      I did this again but was pinging 192.168.110.253 (The virtual LAN IP) which stopped for a second (1 dropped) then continue automatically which is as expected.

      It looks like the pings to 8.8.8.8 are dropped and do not continue.
      UPDATE: Once the pings to 8.8.8.8 stop working, if I then ping 8.8.4.4 this works but the 8.8.8.8 ones still wont
      UPDATE: I've tried this on a linux machine and pinging 8.8.8.8 stops when the firewall is disconnected and doesn't resume, however it does work again if I restart the ping to 8.8.8.8 (unlike on the windows machine) - I also notice that I'm getting DUP! pings on the linux machine when the master is online.

      Does anyone know what could be causing this?

      1 Reply Last reply Reply Quote 0
      • C Offline
        cmb
        last edited by

        Sounds like what happens when you don't have your outbound NAT configured to NAT to a CARP IP, it's still sending out via the primary's WAN IP which won't reach the secondary.

        1 Reply Last reply Reply Quote 0
        • G Offline
          grahambmtw
          last edited by

          Many thanks for your help on this.
          I've set outbound NAT as below on the master (which replicated to the backup) but still get the same problems, does this look right?

          1 Reply Last reply Reply Quote 0
          • G Offline
            grahambmtw
            last edited by

            Apologies, this is working after I select this:

            No more DUP! packets when pinging from a Linux machine and failover to the backup drops a few pings then automatically recovers.

            Hopefully this will help someone else.

            1 Reply Last reply Reply Quote 0
            • S Offline
              subarunut
              last edited by

              drat, same issue here, but didn't fix it for me.  the moment I set this NAT rule I get nothing though.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.