Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP Failover problem

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    4 Posts 2 Posters 752 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      marktiller
      last edited by

      Hello,

      I have two pfsense firewalls configured in HA. Each firewall has two WAN interfaces and a floating IP using CARP. Each firewall has a LAN interface and a floating IP using CARP.

      My problem - if the master firewall fails, the CARP address does appear on the slave however, no traffic is passing. If i do a traceroute from a PC on the LAN side, its first hop is the CARP address but then the second hop wants to go to the master's LAN interface and not the slave's LAN interface. If i change the slaves LAN interface to the master's LAN interface IP address, all then works.

      Does anyone know why when the slave has taken over, it is trying to route to the Master's LAN IP address after it has hit the CARP floating address ? All settings look right, compared against several documents.

      Many thanks !

      Mark.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Everything must be pointed at the CARP VIPs. Default gateways, DNS, etc.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M
          marktiller
          last edited by

          Thank you for replying Derelict, yes, everything is pointing to the CARP VIP address. If i perform a traceroute to the internet, first hope is the CARP VIP address, but it then goes to the physical LAN's IP address.

          Any thoughts ?

          Thanks,

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Outbound NAT must also be set to use the CARP VIPs.

            It is perfectly normal for a traceroute response to appear to come from the interface address not the CARP VIP.

            You'll probably need to perform troubleshooting steps to determine what is actually failing and we can go from there.

            https://www.netgate.com/docs/pfsense/routing/connectivity-troubleshooting.html

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.