Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Backup firewall thinks it's the Master

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    2 Posts 2 Posters 419 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      rsaddoo
      last edited by

      Hi,

      I'm currently unable to have my backup firewall fully recognise that it's not the master, it only has the WAN VIP's set as Master, the rest correctly are set as Backup as can be seen below.

      This is setup on a Hyper-V cluster and the two VM's were on separate hosts but I've moved them back onto the same host incase it was the Layer 2 switch which was filtering the Multicast traffic. I'm running pFsense 2.4.3 on both firewalls.

      The primary firewall does sync the config correctly so any NAT entries etc get instantly copied onto the backup firewall as expected.

      I have everything setup as per the instructions here

      Master
      Master
      Master
      Master
      Master
      Master
      Backup
      Backup
      Backup
      Backup
      Backup
      Backup

      This is the output of the packet capture, which to me looks like the WAN interfaces are having Multicast traffic blocked. If I run a capture from the other interfaces I can see the Primary firewall correctly advertising.

      From master Server

15:23:27.905751 IP 111.111.111.111 > 224.0.0.18: CARPv2-advertise 36: vhid=4 advbase=1 advskew=0 authlen=7 counter=2513118231863990170
15:23:27.905753 IP 111.111.111.111 > 224.0.0.18: CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 authlen=7 counter=4600427427365908371
15:23:27.905886 IP 111.111.111.111 > 224.0.0.18: CARPv2-advertise 36: vhid=3 advbase=1 advskew=0 authlen=7 counter=16969553043371695779
15:23:28.931190 IP 111.111.111.111 > 224.0.0.18: CARPv2-advertise 36: vhid=3 advbase=1 advskew=0 authlen=7 counter=16969553043371695779
15:23:28.931316 IP 111.111.111.111 > 224.0.0.18: CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 authlen=7 counter=4600427427365908371


From backup Server

15:25:43.326437 IP 111.111.111.112 > 224.0.0.18: CARPv2-advertise 36: vhid=3 advbase=1 advskew=100 authlen=7 counter=12107231961857631236
15:25:43.326439 IP 111.111.111.112 > 224.0.0.18: CARPv2-advertise 36: vhid=2 advbase=1 advskew=100 authlen=7 counter=13768645510008379376
15:25:43.326440 IP 111.111.111.112 > 224.0.0.18: CARPv2-advertise 36: vhid=4 advbase=1 advskew=100 authlen=7 counter=5530884825783091352
15:25:43.326858 IP 111.111.111.112 > 224.0.0.18: CARPv2-advertise 36: vhid=3 advbase=1 advskew=100 authlen=7 counter=12107231961857631236
15:25:43.326880 IP 111.111.111.112 > 224.0.0.18: CARPv2-advertise 36: vhid=2 advbase=1 advskew=100 authlen=7 counter=13768645510008379376

      Help! :)

      Thanks

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        They can't see each other's multicast CARP advertisements.

        Check your switching layer that they are both connected to.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.