CARP 2.3.2-p1 - backup node don't ping gateway



  • Such a situation:
    Two pfSense in the HA cluster addressing WAN network example, 1.1.1.0/27
    Address of the remote gateway 1.1.1.1 (operator site), the WAN interface address of the first pfSense is 1.1.1.3 27-bit mask, the WAN interface address of the second pfSense is 1.1.1.4 27-bit mask.

    I setting CARP, according to the found descriptions, the IP address of 1.1.1.2 of the 27-bit mask - with this configuration only pfSense that is a Master Carp, can ping the gateway 1.1.1.1, the second pfSense is not seen as a Backup Gateway 1.1.1.1, gateway don't reply to ping

    After changing the mask settings for CARP address 1.1.1.2 with mask 27 bit to 32 bit
    both Nodes regardless of the state of CARP whether Master or Backup

    Both Nodes on pfSense 2.3.2-RELEASE-p1 (amd64)

    Tell me what is the correct configuration mask CARP ?? why when set to 27-bit mask of the router which is able to Backup for CARP can not pinging the gateway ??

    P.S. sorry for my English probably is not perfect :-)



  • @bronson:

    After changing the mask settings for CARP address 1.1.1.2 with mask 27 bit to 32 bit
    both Nodes regardless of the state of CARP whether Master or Backup

    Both nodes can ping gateway or not? What mask on operator gateway? /30?



  • when i change subnet mask in the CARP settings from 27bit to 32bit then I can ping Gateway from first node pfSense and second node pfSense
    When in CARP settings i write 27bit subnet mask then i ping Gateway only from pfSense which is a Master in CARP status

    the connection subnet between me and my ISP has a mask of 27 bit



  • When ping gateway, you can change address from. Master can ping gateway both from own address and CARP address? When you migrate master role to secondary server - can it ping gateway from CARP address? From own address?



  • i monitor gateway from pfSense futures :-) in Gateway monitor
    When i change role Master<>Backup in CARP then the pfSense which previously pingował (saw) the gate stops see it and the one which has just been master began to see her although only previously was not available to him …

    When I set the in the CARP settings network mask for 32-bit then everything is OK, both Nodes see the gate


  • LAYER 8 Netgate

    Everything should be a /27 netmask. Both interfaces and the CARP VIP.

    If you cannot ping 1.1.1.1 sourced from 1.1.1.4 on the secondary, you have either broken something with outbound NAT somehow or it is a problem with your ISP or outside switch.



  • Outgoing NAT I have set up this way:
    from LAN network -  NAT -> WAN IP CARP
    from pfSense loopback (127.0.0.1) - NAT is a WAN interface IP
    I am connected to two links to ISP switch

    When I was a mask set to 27-bit my ISP he claimed that the port which was connected pfSense with CARP in backup state does not register any MAC.
    Link between pfSense and the switch was, the LEDs on both devices signaled to the respective statuses of LEDs.
    Are the two links of CARP need some specific configuration on the side of the ISP switch??


  • LAYER 8 Netgate

    When I was a mask set to 27-bit my ISP he claimed that the port which was connected pfSense with CARP in backup state does not register any MAC

    Doesn't much matter what the ISP says. All netmasks MUST be /27.

    Are the two links of CARP need some specific configuration on the side of the ISP switch??

    Generally, no. The two ports need to be on the same broadcast domain and properly pass multicast between each other. Unless the switch is broken two untagged ports (three if you count the one to the ISP) on the same VLAN "just work."

    Might be an issue with the ISP switch.

    https://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting

    You'll probably have to take some packet captures to see what's really happening.

    You should be able to ping the ISP gateway sourced from the WAN interface address on each node at all times.

    You should be able to ping the ISP gateway sourced from the WAN CARP VIP from whichever node is the master at the time.

    If either of those cases is not true you have something wrong and need to work it out with the ISP/outside switch/etc.



  • thanks for the explanation of doubts ..
    Tomorrow I will try to contact an engineer from ISP ..
    At the moment, each of pfsensów is plugged into a separate port of switch DCN DCS-4500-10C, which is owned by ISP
    Finally as part of the test can switch between the ISP plug in any Cisco (eg. C3750) and check if the variations in work

    –-----

    thanks for the clarification and draw attention to the configuration of the switch .. now everything is OK
    ISP filtering, turn on your switch by default GVRP and GMRP on ports clients
    And that was the problem .. after filtering off GVRP and GMRP on ports which I used everything behaves correctly with 27-bit mask set in CARP
    Another new experience, a man learns his whole life :-)
    So far I've used in a production environment several devices F5 Networks that work in the HA cluster quietly use probably just CARP and this combined with cisco switches work always without a problem even when the aggregation ports and support for multiple VLANs ..


Log in to reply