• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Pfsense : CARP interface reply to arp request with 2 mac address

Scheduled Pinned Locked Moved HA/CARP/VIPs
7 Posts 4 Posters 2.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C Offline
    chuyengiason
    last edited by Jul 14, 2016, 11:08 AM

    Hello, I have 2 pfsense boxes.

    • LAN and WAN interfaces are configured to use carp and VIP.
    • I see that master box, reply to to arp request for LAN VIP with 2 message : 1 claim that the VIP has mac address is physical mac and 1 claim that VIP has mac address as CARP mac.
    • So, the PC in LAN got confuse and think that the CARP VIP is duplicate and refused to use it as default GW.

    Here is the sysctl configuration of psense

    device  carp
    net.inet.carp.allow: 1
    net.inet.carp.preempt: 1
    net.inet.carp.log: 1
    net.inet.carp.demotion: 0
    net.inet.carp.senderr_demotion_factor: 0
    net.inet.carp.ifdown_demotion_factor: 240
    net.inet.carp.stats: Format:I Length:128 Dump:0x44866b01000000000000000000000000…
    net.link.ether.inet.carp_mac: 1
    net.link.ether.inet.log_arp_wrong_iface: 1
    net.link.ether.inet.log_arp_movements: 1
    net.link.ether.inet.log_arp_permanent_modify: 1
    net.link.ether.arp.stats: Format:I Length:96 Dump:0xb2ac0800000000005d9c020000000000...
    net.link.bridge.ipfw_arp: 0
    net.pfsync.carp_demotion_factor: 0

    In Linux, I used keepalived and it has : arp_announce and arp_ignore do the trick. But I can not find any setting like that in pfsense/freebsd
    Pls help to fix it
    Tks

    1 Reply Last reply Reply Quote 0
    • P Offline
      Paint
      last edited by Jul 14, 2016, 1:34 PM

      if you go to the System -> Adavanced -> Networking tab, you should check the last box on the page to enable ARP Handling - This option will suppress ARP log messages when multiple interfaces reside on the same broadcast domain.

      This setting will disable these two sysctl settings:

      net.link.ether.inet.log_arp_movements: 0
      net.link.ether.inet.log_arp_wrong_iface: 0
      

      pfSense i5-4590
      940/880 mbit Fiber Internet from FiOS
      BROCADE ICX6450 48Port L3-Managed Switch w/4x 10GB ports
      Netgear R8000 AP (DD-WRT)

      1 Reply Last reply Reply Quote 0
      • D Offline
        dotdash
        last edited by Jul 14, 2016, 2:22 PM

        I think those sysctl's just suppress error messages about duplicate macs. OP- what OS was the PC running that wouldn't accept the gateway? I've never seen that behavior.

        1 Reply Last reply Reply Quote 0
        • C Offline
          chuyengiason
          last edited by Jul 14, 2016, 3:13 PM

          The 2 sysctl options are about logging only.

          Btw, the PC running freebsd also.
          PC point GW to VIP of LAN interfacen in pfsense.
          When I ping to the internet, and do tcpdump in PC. I see that it ask for mac address of VIP and receive 2 reply from pfsense.

          I also have carp configured in 2 freebsd servers. The configuration is quite the same and the freebsd server return arp correctly. I'm not sure why problem happen with pfsense :(

          1 Reply Last reply Reply Quote 0
          • C Offline
            chuyengiason
            last edited by Jul 14, 2016, 3:14 PM

            1 thing is

            • master pfsense running 2.2.1 version
            • slave running 2.3.1
            1 Reply Last reply Reply Quote 0
            • D Offline
              dotdash
              last edited by Jul 14, 2016, 3:31 PM

              @chuyengiason:

              1 thing is

              • master pfsense running 2.2.1 version
              • slave running 2.3.1

              That could be a problem. I would upgrade the master so they are at the same version.

              1 Reply Last reply Reply Quote 0
              • D Offline
                Derelict LAYER 8 Netgate
                last edited by Jul 19, 2016, 4:29 AM

                Code level differences like that should really only be run for a minimum of time. Enough time to know everything's working, then update the other node to match. If not, fail back and restore the secondary to the working version. You will find that the closer the two nodes in the cluster are to each other (hardware, software, etc) the happier your cluster will be.

                The interface will respond with the interface MAC for ARP for the interface address. The unit that is CARP master will respond with the CARP MAC for the CARP VIP address. The ARP request will be for one IP address or the other.

                When you're looking at the ARP traffic, you see a WHO HAS X.X.X.X IP address. Only the MAC address that has that actual IP address will respond.

                Need more details about what you're really seeing, like specific IP addresses, MAC addresses, and probably packet captures showing what you're seeing to be of any sort of assistance. Both nodes please.

                And so we all are talking about the same things let's use the same terminology:

                Primary - the node that is usually Master and sends its config XMLRPC Sync to the other node.
                Secondary - the node that is usually Backup and does not send config XMLRPC sync to the other node.

                Master - the node that is currently CARP master
                Backup - the node that is currently CARP backup.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received