Failed to function WAN CARP.

  • Greetings to all.

    A strange situation with the connection of pfSense in the network of the "Telia" provider, Vilnius. Having installed only the WAN address and creating the WAN CARP, I immediately see that the packets do not pass between the WAN CARP and the default gateway of the WAN network. The check is performed via Diagnostics / Ping. But if you change the virtual address type from "WAN CARP" to "IP Alias", then the connection to the default gateway is instantly restored.

    Tell me what kind of trouble happened and how to overcome it.

  • Capturing packets on the WAN interface shows that in the case of WAN CARP type, response packets do not come from the gateway. That is, or the gateway considers them broken because it does not respond, or something else.

    To exclude its own error, pfSense was connected by the WAN interface to the local network, where it demonstrated full correctness of operation. Therefore, the problem is only in correctly recognizing the packets from the WAN CARP address by the gateway.

    Explain please what is the difference between the packets that are sent from the WAN CARP type address from the packets that are sent from the IP Alias type address? None of my studies do not reveal a difference.

  • LAYER 8 Netgate

    To start, your provider is probably not CARP compatible, or it would likely be working.

    When it comes to CARP VIPs and ISPs there are two general principles that they must support.

    CARP advertisements egress sourced from the CARP MAC address. This performs two tasks:

    • The switch sees the CARP MAC address and adds it to its MAC address table

    • The BACKUP CARP node sees the advertisement and does not switch to MASTER

    The ISP, having traffic for the CARP VIP address does an ARP request.

    The pfSense WAN responds to the ARP "WHO HAS" from the interface MAC address but says the address IS AT the CARP MAC. This directs traffic from upstream to the CARP VIP to the CARP MAC address which has previously been installed in the switches MAC address table by virtue of the CARP advertisements.

    Upstream has to support multiple MAC addresses and multicast for CARP to function. ISP gear does some silly-ass crap. Especially residential gear.

    There has to be solid layer 2 between the two CARP nodes and the upstream.

Log in to reply