Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Failed to function WAN CARP.

    HA/CARP/VIPs
    2
    3
    553
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MStar
      last edited by

      Greetings to all.

      A strange situation with the connection of pfSense in the network of the "Telia" provider, Vilnius. Having installed only the WAN address and creating the WAN CARP, I immediately see that the packets do not pass between the WAN CARP and the default gateway of the WAN network. The check is performed via Diagnostics / Ping. But if you change the virtual address type from "WAN CARP" to "IP Alias", then the connection to the default gateway is instantly restored.

      Tell me what kind of trouble happened and how to overcome it.

      1 Reply Last reply Reply Quote 0
      • M
        MStar
        last edited by

        Capturing packets on the WAN interface shows that in the case of WAN CARP type, response packets do not come from the gateway. That is, or the gateway considers them broken because it does not respond, or something else.

        To exclude its own error, pfSense was connected by the WAN interface to the local network, where it demonstrated full correctness of operation. Therefore, the problem is only in correctly recognizing the packets from the WAN CARP address by the gateway.

        Explain please what is the difference between the packets that are sent from the WAN CARP type address from the packets that are sent from the IP Alias type address? None of my studies do not reveal a difference.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          To start, your provider is probably not CARP compatible, or it would likely be working.

          When it comes to CARP VIPs and ISPs there are two general principles that they must support.

          CARP advertisements egress sourced from the CARP MAC address. This performs two tasks:

          • The switch sees the CARP MAC address and adds it to its MAC address table

          • The BACKUP CARP node sees the advertisement and does not switch to MASTER

          The ISP, having traffic for the CARP VIP address does an ARP request.

          The pfSense WAN responds to the ARP "WHO HAS" from the interface MAC address but says the address IS AT the CARP MAC. This directs traffic from upstream to the CARP VIP to the CARP MAC address which has previously been installed in the switches MAC address table by virtue of the CARP advertisements.

          Upstream has to support multiple MAC addresses and multicast for CARP to function. ISP gear does some silly-ass crap. Especially residential gear.

          There has to be solid layer 2 between the two CARP nodes and the upstream.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.