Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense carp incompatible with draytek 2120 ?

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    5 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      spyshagg
      last edited by

      hi

      Two gateways connected to pfsense. Wan1 and Wan2.  Carp is enabled on pfsense for both wans.

      Wan 1  = draytek 2960
      Wan 2  = draytek 2120

      -Port forwarding to carp address works well with 2960. 
      -Port forwarding to carp address doesn't work with 2120.

      2120 syslog  complains of:

      Arp address mismatch – Source MAC address doesn't match ARP Sender's MAC address

      Using telnet to alter draytek 2120 config to allow illegal macs does not produce results. Forwarding fails.

      normal web browsing also seems affected (speed) when accessing it through pfsense. (everything works normaly when accessing 2120 without pfsense)

      1 Reply Last reply Reply Quote 0
      • S
        spyshagg
        last edited by

        corrected first post

        1 Reply Last reply Reply Quote 0
        • JeGrJ
          JeGr LAYER 8 Moderator
          last edited by

          I suppose that is Drayteks "special defense" againt some kind of ARP poisoning like mentioned in this post:

          https://superuser.com/questions/1045892/arp-address-mismatch

          That behavior is mentioned to be configurable, so it is possible to disable that. The point the 2120 is complaining most likely is that the pfsense primary has another MAC address on the physical interface as on the VIP (as it should be because the MAC for the VIP should be the same after taking over on the slave thus has to be bound to the VIP, not to the physical NICs).

          Greets

          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            It is probably being overly strict on checking the MACs. Which can be good but not in this context. With CARP, the traffic sent from the upstream device to the CARP VIP will be addressed to the CARP VIP MAC, but traffic coming from the firewall and going to/out the upstream (including the ARP response) will be sourced from the HA node's own MAC address.

            Hopefully that is a setting you can disable.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • S
              spyshagg
              last edited by

              Thanks for the help! much appreciated.

              As I mentioned on the first post there is a toggle to ignore suspicious Mac but it does not produces any result.

              As it stands, I was forced to remove both drayteks from the network and plug the wans directly into one of my PFSENSE boxes, losing wan redundancy in the process.

              I am preparing two mini-ITX pc's do replace the drayteks. One for each wan, also running Pfsense, so I can regain wan redundancy on both pfsense boxes.

              cheers

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.