FRR OSPF and CARP
-
Have a conundrum with OSPF (FRR) and HA using CARP on pFsense.
With two pFsense FW's running in HA with a CARP (LAN side in this example, but doesnt really matter), i would expect my devices on this network to be using this CARP as the gateway, and indeed this is working fine, and in the event of failover, the CARP moves and all carries on.
The question i have however is that OSPF advertises the physical interface IP and not the CARP, so connections from other OSPF attached devices (mostly other pFsense instances) are told to forward to the physical ip, in the event of failure the Physical IP of the secondary is advertised and things do re-establish.. but all state is broken... not good.
Also in non failure conditions, the same IP appears to be behind two different mac addresses (the Physical IP and the CARP), upsetting some security protocols.
How do iget OSPF to advertise the CARP and not the physical IP... or am i doing it all wrong?
-
@spearless
I'm using FRR BGP with CARP, but OSPF should be similar.
Under global, set the router ID to the ip of the carp. Set the CARP status ip to the lan carp. Under OSPF, use the shared IP as the router ID, as in global. -
Thanks for you help... I have modified my config to match your guidance, but unfortunately there has been no change to the issue.
The Interface IP (and not the CARP) is being advertised in all routes to other OSPF devices.
I had different router ID’s on my primary and secondary FW’s, and having changed this to be the LAN CARP IP (and therefore the same on both), re convergence seems to have speeded up… which makes sense, but no other change.
If I do a capture on this interface, I only see CARP “Hello” from the physical interface ip and not the carp, which may be a clue.
Seems FRR is only aware of the “Interface” and not a CARP. Unless im missing something.
-
@spearless
Under BGP, when I add a neighbor, I have an option for 'update source' that I can set to the carp ip. Do you have a similar setting under OSPF?
