COX and the CARP mac

meyerds

@rhsfit once you figured out this was happening, did you (and Cox) find a solution?

bw-linux

Nope. We have just been living with it until the contract is over.

meyerds

@rhsfit shoot, I was really hoping Having the same problem (I think) but can't get Cox tier 2 support to acknowledge that the problem is on their end, or even really get them to understand the problem.

Sounds like you were able to at least get the CARP VIP working for inbound/outbound traffic though, it just didn't switch over to the slave firewall properly when the master went down? My problem is slightly different... outbound CARP VIP traffic from the firewalls just goes into a black hole for me, master or slave.

Derelict

Tell them it's a couple cisco routers using VRRP instead, maybe. VRRP might not seem so scary to them. The basic requirements on their side should be the same.

meyerds

@Derelict do ISPs typically have to make accommodations for CARP to work?

Derelict

Not real ones.

Derelict

I mean you could always approach it like this:

"My business requirements dictate layer 3 redundancy here. What if I switch to Cisco routers and VRRP? Will that work with your gear? Is that supported?"

meyerds

I'll give it a shot and report back

meyerds

I'm finally getting somewhere with Cox. Just got off the phone with tier 3 support, with a tech who was familiar with HSRP and VRRP (but not CARP). He is thinking currently that the CMTS is probably dropping the outbound packets since the outbound source MAC doesn't match the VIP's (VHID) MAC in the ARP table. He says he knows VRRP works, and that they don't have to do any special configuration for it. His thought is that with VRRP the outbound source MAC would be the VIP (VHID) MAC so there would be no ARP mismatch, and therefore the CMTS wouldn't reject the packet.

@Derelict Are you able to confirm or deny whether VRRP and CARP differ on the outbound source MAC?

Cox has scheduled a call with DOCSIS on Monday to do some further investigation, so hopefully I'll get a solid answer whether they can support CARP, and if not why not.

Derelict

@meyerds I have access to a CARP pair talking to a VRRP pair.

When pfSense sends an ICMP echo request to the VRRP address, it goes to the VRRP MAC address 00:00:5e:00:01:01.

The ICMP echo reply is sourced from the router's interface address 44:2b:03:aa:bb:cc.

Just like pfSense/CARP.

meyerds

Just in case anyone is looking for answers, this is what I found out about CARP with a Cox Business cable modem connection: It doesn't work, 100% certain. Cox's CMTS registers the known MAC address for your firewall, which in this case is the VHID MAC, and any outbound traffic that does not match that MAC address will be dropped (as it is for traffic leaving the master firewall in a CARP pair). I finally got to the DOCSIS tech support tier, and the tech was very knowledgeable and was able to change some firmware settings in both the modem and on the CMTS in an effort to remove the limitation. Despite making firmware changes that in theory should've worked, it had no effect. Note he also said the changes he made in the CMTS would've only lasted until the next Cox scheduled maintenance on their end, anyway. He said VRRP/CARP works fine on their fiber connections for sure, so it's a limitation of the CMTS since those networks are meant for residential connections where the possibility of abuse is higher. He also said they have almost no visibility or control over the cable modem firmware, that it's very closely guarded by the modem manufacturers. Bummer.

Derelict

Yeah that's too bad. Thanks for pursuing it further and reporting back.