Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP 2.3.2-p1 - backup node don't ping gateway

    HA/CARP/VIPs
    3
    9
    2.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bronson
      last edited by

      Such a situation:
      Two pfSense in the HA cluster addressing WAN network example, 1.1.1.0/27
      Address of the remote gateway 1.1.1.1 (operator site), the WAN interface address of the first pfSense is 1.1.1.3 27-bit mask, the WAN interface address of the second pfSense is 1.1.1.4 27-bit mask.

      I setting CARP, according to the found descriptions, the IP address of 1.1.1.2 of the 27-bit mask - with this configuration only pfSense that is a Master Carp, can ping the gateway 1.1.1.1, the second pfSense is not seen as a Backup Gateway 1.1.1.1, gateway don't reply to ping

      After changing the mask settings for CARP address 1.1.1.2 with mask 27 bit to 32 bit
      both Nodes regardless of the state of CARP whether Master or Backup

      Both Nodes on pfSense 2.3.2-RELEASE-p1 (amd64)

      Tell me what is the correct configuration mask CARP ?? why when set to 27-bit mask of the router which is able to Backup for CARP can not pinging the gateway ??

      P.S. sorry for my English probably is not perfect :-)

      1 Reply Last reply Reply Quote 0
      • I
        IB
        last edited by

        @bronson:

        After changing the mask settings for CARP address 1.1.1.2 with mask 27 bit to 32 bit
        both Nodes regardless of the state of CARP whether Master or Backup

        Both nodes can ping gateway or not? What mask on operator gateway? /30?

        1 Reply Last reply Reply Quote 0
        • B
          bronson
          last edited by

          when i change subnet mask in the CARP settings from 27bit to 32bit then I can ping Gateway from first node pfSense and second node pfSense
          When in CARP settings i write 27bit subnet mask then i ping Gateway only from pfSense which is a Master in CARP status

          the connection subnet between me and my ISP has a mask of 27 bit

          1 Reply Last reply Reply Quote 0
          • I
            IB
            last edited by

            When ping gateway, you can change address from. Master can ping gateway both from own address and CARP address? When you migrate master role to secondary server - can it ping gateway from CARP address? From own address?

            1 Reply Last reply Reply Quote 0
            • B
              bronson
              last edited by

              i monitor gateway from pfSense futures :-) in Gateway monitor
              When i change role Master<>Backup in CARP then the pfSense which previously pingował (saw) the gate stops see it and the one which has just been master began to see her although only previously was not available to him …

              When I set the in the CARP settings network mask for 32-bit then everything is OK, both Nodes see the gate

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Everything should be a /27 netmask. Both interfaces and the CARP VIP.

                If you cannot ping 1.1.1.1 sourced from 1.1.1.4 on the secondary, you have either broken something with outbound NAT somehow or it is a problem with your ISP or outside switch.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • B
                  bronson
                  last edited by

                  Outgoing NAT I have set up this way:
                  from LAN network -  NAT -> WAN IP CARP
                  from pfSense loopback (127.0.0.1) - NAT is a WAN interface IP
                  I am connected to two links to ISP switch

                  When I was a mask set to 27-bit my ISP he claimed that the port which was connected pfSense with CARP in backup state does not register any MAC.
                  Link between pfSense and the switch was, the LEDs on both devices signaled to the respective statuses of LEDs.
                  Are the two links of CARP need some specific configuration on the side of the ISP switch??

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    When I was a mask set to 27-bit my ISP he claimed that the port which was connected pfSense with CARP in backup state does not register any MAC

                    Doesn't much matter what the ISP says. All netmasks MUST be /27.

                    Are the two links of CARP need some specific configuration on the side of the ISP switch??

                    Generally, no. The two ports need to be on the same broadcast domain and properly pass multicast between each other. Unless the switch is broken two untagged ports (three if you count the one to the ISP) on the same VLAN "just work."

                    Might be an issue with the ISP switch.

                    https://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting

                    You'll probably have to take some packet captures to see what's really happening.

                    You should be able to ping the ISP gateway sourced from the WAN interface address on each node at all times.

                    You should be able to ping the ISP gateway sourced from the WAN CARP VIP from whichever node is the master at the time.

                    If either of those cases is not true you have something wrong and need to work it out with the ISP/outside switch/etc.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • B
                      bronson
                      last edited by

                      thanks for the explanation of doubts ..
                      Tomorrow I will try to contact an engineer from ISP ..
                      At the moment, each of pfsensów is plugged into a separate port of switch DCN DCS-4500-10C, which is owned by ISP
                      Finally as part of the test can switch between the ISP plug in any Cisco (eg. C3750) and check if the variations in work

                      –-----

                      thanks for the clarification and draw attention to the configuration of the switch .. now everything is OK
                      ISP filtering, turn on your switch by default GVRP and GMRP on ports clients
                      And that was the problem .. after filtering off GVRP and GMRP on ports which I used everything behaves correctly with 27-bit mask set in CARP
                      Another new experience, a man learns his whole life :-)
                      So far I've used in a production environment several devices F5 Networks that work in the HA cluster quietly use probably just CARP and this combined with cisco switches work always without a problem even when the aggregation ports and support for multiple VLANs ..

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.