How to properly configure HA pair with IPv6 and CARP for symmetric routing?



  • Hello,

    I've been running an HA pfSense pair (two XG-1541s running 2.4.3-RELEASE-p1) with IPv4 and CARP for the past few months without any issue. Since our ISP has allocated an IPv6 /48 range and routed it to us I've begun implementing IPv6 on the WAN/interface as well as on one of the internal interface (which already has IPv4 and CARP configured) for testing.

    Having configured Router Advertisements on that internal interface, my connected Windows laptop can automatically configure an IPv6 address via SLAAC in that subnet and successfully connect to Google and Facebook using IPv6. Since both pfSense devices have IPv6 configured on that internal interface and are both sending RAs, the Windows laptop shows two IPv6 default route entries, each one pointing to one of the two HA devices. Each route entry has the same metric, so the laptop doesn't necessarily use the same "active" HA device as the IPv6 default gateway that it uses as the IPv4 default gateway (which advertises the default GW IP via a CARP VIP).

    I've also configured a second CARP VIP for the internal interface, this one with an IPv6 address and a different VHID from the IPv4 one. In the Services > DHCPv6 Server & RA > <internal_interface> > Router Advertisements section I have set the Router mode to 'Unmanaged', Router priority to 'Normal', and RA Interface to the IPv6 CARP VIP address. Following this change I would have (perhaps naively) expected the active device to:

    1. Be the only one sending RAs, and
    2. Use some sort of "virtual" link-local address as the RA source. This virtual link-local address would move from device to device during failover.

    Yet, both the CARP MASTER and BACKUP device continue sending RAs for that internal IPv6 subnet; therefore the Windows laptop still has two default routes with the same metric visible in the routing table

    I admit I'm quite clueless as to how router redundancy and failover is supposed to work with IPv6 RAs since the laptop knows about both firewalls simultaneously (unlike CARPv4). I tried Googling on IPv6 and CARP but I didn't hit any specific site that I felt offered a definitive answer on the subject.

    Am I mistaken in expecting that using CARP with IPv6 will somehow make sure all IPv6 traffic goes through the active device only? If so, how is this supposed to work exactly?

    I have two areas of concern:

    1. Speed of noticing next-hop failure with RAs as compared to CARP/VRRP
    2. Assymetric routing (possibly fine a stateless router, but potentially problematic in a stateful firewall)

    I appreciate any help/explanations/links/hints/best practices/enlightenment anyone can provide!

    Regards,
    -Martin