Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't access Backup router after HA/CARP enabled

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    4 Posts 3 Posters 557 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lmurarka
      last edited by lmurarka

      I have two xg-7100-1u routers on the same version.

      I have configured CARP VIP's for 3 local subnets on primary and the respective x.x.x.2(primary) & x.x.x.3(backup) IP's on eth's 6, 7, 8 on both routers

      Cisco switch stack has 6 ports in access mode connected to eth's 6, 7, 8 on both routers

      I'm on one of the subnets and can access/ping the primary router via any VIP or x.x.x.2 IP no problem

      However the backup router can only be accessed via the LAN port(192.168.1.1) on eth2 which I directly connect to my PC and use to configure interfaces/rules before I enabled HA pfsync/xmlrpc

      I can't ping any of the x.x.x.3 IP's on eth's 6, 7, 8 on backup

      I have configured the IX1 interface, 192.168.3.1/30(primary) & 192.168.3.2/30(backup)

      Once I establish connection on IX1, enabled HA pfsync/xmlrpc, I can't access the backup router via LAN port on eth2 anymore, and x.x.x.3 IP's don't respond either.

      I can use the console to access the backup router.

      Perhaps I have configured the routers in the wrong order?
      Is HA/CARP going to work for my local subnets?

      On a side note, I only have one WAN IP, and I was NOT able to apply public WAN gateway IP to a private /30 subnet on WAN interface.

      Anyway, any help would be appreciated, Thanks!

      firewall02_console.PNG firewall01_primary.PNG firewall01_pfsync.PNG firewall01_interfaces.PNG firewall01_carpstatus.PNG

      1 Reply Last reply Reply Quote 0
      • T
        tsueri
        last edited by

        I have exactly the same problem with my two XG-7100 in HA mode.
        Some help would be really appreciated.

        1 Reply Last reply Reply Quote 0
        • J
          jgraham5481
          last edited by

          Those carp addresses should be the same subnet mask as the network they live on, ie: should be /24 if the interfaces on the master and salve firewalls are /24/

          1 Reply Last reply Reply Quote 0
          • T
            tsueri
            last edited by

            Today I had an idea. I disabled the firewall with pfctl -d on the second device.
            Access was possible again.

            After syncing the config from the first to the second pfsense, I enabled the firewall again with pfctl -e. You might want to reboot your device at this point.

            Now it works again.
            I must have messed up something with the firewall rules, and it was applied to the second pfsense, and then I was locked out as well as my first firewall from the gui. I have no other explanation for my situation.

            You can follow the guide from the docs (found that later): https://docs.netgate.com/pfsense/en/latest/book/config/what-to-do-when-locked-out-of-the-webgui.html#disable-the-firewall

            also check, what @jgraham5481 said in Can't access Backup router after HA/CARP enabled:

            Those carp addresses should be the same subnet mask as the network they live on, ie: should be /24 if the interfaces on the master and salve firewalls are /24/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.