CARP and (HE.net) GIF tunnel



  • I setup CARP with one ISP and 2 PFSense boxes. Everything works as expected if I disable CARP on the primary.

    The only thing is the HE.net tunnel, everything will go in Master status on the slave if i set 'Disable CARP' on the primary. But IPv4 works, but IP6 not. The Gateway to HE.net is shown as Online on the slave, but there is no IPv6 connectivity. I can ping the IPv6 CARP ip, also the IPv6 slave IP but if i ping the GIF tunnel local address or GIF tunnel remote address (or any other IPv6 outside LAN) then i get a PING: transmit failed. General failure.

    My setup:

    GIF HE.net tunnel is setup with this manual: https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker. Because of CARP i change the GIF parent interface to the WAN CARP IP.

    Also created a IPv6 CARP IP on top of the LAN-interface (and set my clients to use this IP as gateway).

    I have IPv6 internet, can ping6 the master, slave and CARP IPv6 IP-adres. So i think everything is setup correct?


  • Rebel Alliance Developer Netgate

    Compare the interface settings (ifconfig -a) and routing tables (netstat -rn) on both nodes in each state, see if there is anything different.



  • Hello,

    I am having similar problems.  IPV4 failover works beautifully.  But not ipv6.

    fw1 and fw2 both have the same tunnel broker settings, both firewall GIF connections are tied to the wan carp ip.  when fw2 is master, ipv6 stops.  when fw1 is master again, ipv6 connectivity returns.

    I have compared the output of netstat -rn and ifconfig -a to each other.  The only real difference appears to be how ipv4 is mapped to carp whereas ipv6 is NOT.

    What I theorize is this: until HE.net re-pings the ipv4 client address, connectivity is lost.

    Do I need to create a virtual ip address on the tunnel interface and assign the he.net assigned client ipv6 address to it?
    is there a way to convince HE.net to allow me to use more than one client ipv6 addresses ie one for fw1 one for fw2 and one for carp?  the server and client ipv6 addresses both are /64…

    is there a mechanism to bump HE.net if a carp changover has occurred?

    Thank you in advance for your time...

    ==jason