Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    After Failover -> VIP not working

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    2 Posts 2 Posters 897 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fips
      last edited by

      Hey Guys!

      my setup:
      from my ISP i got a /29 Subnet over a single Ethernet cable -> split up with a small switch -> 2 FW with the same Version of pfSense.
      each FW has a public IP for WAN, one public IP ist used for VIP.
      SYNC over a network Cable.

      I configured carp according the how to from the docs.
      pfsync works, after i unplug WAN on Master FW, the backup FW start working. LAN User can access Internet without any problems.

      Sad but true there is a problem:
      As long as my Master is running i can use VIP (translated to http server) or just a ping to a server over an VIP.
      When i unplug WAN on Master, Slave start to work, but i can't see website or get a successful ping over the VIP.
      If i plug back WAN on Master, everything is fine.

      As i understood carp and pfsync, everything is synchronized between both F, if i can see the same entries and configurations on both FW.
      Is it possible that my ISP cached something or so?

      thanks in advanced

      Steve

      1 Reply Last reply Reply Quote 0
      • JeGrJ
        JeGr LAYER 8 Moderator
        last edited by

        Hi Steve,

        JimP and CMB helped mit with the exact same problem, after our upstream provider routed an additional /29 network to our new pfSense Firewalls. As for diagnosis, the effects were almost the same as yours. Master is up: all is going well, Master is down -> Slave takes over -> all is good except die VIPs from the /29 network.

        As it became clear that it had nothing to do with CARP, Syncing or anything else, JimP got me the hint, to call our upstream provider and let them check the IP, where they route the /29 network to. And as expected, they answered me that they did an error and routed the whole /29 to the public IP of the Master firewall instead of the CARP VIP I told them.

        • So question is: how is your /29 network routed to you? Did you get public IPs prior to this /29 or is that all you have?
        • If it's all - do you have a gateway from your provider in the same /29 network? Or is the GW another transfer network?

        Greets
        Jens

        Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.