CARP working properly, except WAN1 packetloss on Backup until Master



  • I have CARP configured with HyperV on separate hosts, L2 switch and two WANs. Failover works as it should, except the gateway monitoring for WAN1 on BACKUP node shows 100% packetloss (only) when in backup status. WAN2 shows online, always. (CARP status is Backup for all interfaces, as it should be)

    When the Backup node takes over as Master, WAN1 packetloss goes away instantly and failover is successful.

    I rebuilt both pfSense installations from scratch about a month ago. Before the rebuild, I'm pretty sure both WANs always displayed online status in widget on both nodes. It makes me think I confiured something wrong with the rebuild. While I re-created the VMs, the HyperV hosts and networking were untouched. (Though maybe a modem firmware was pushed by ISP)

    The only indication of something off is in the gateway widget. It makes me wonder if this is normal behavior.

    Any thoughts on what this might be? Or commands I could run othe Backup node (while not Master) to look for issues?

    Thanks.


  • LAYER 8 Netgate

    Sounds like you might be performing outbound NAT to the CARP VIP on traffic from the firewall itself.

    Or you're attempting some kind of configuration where the interfaces do not have routable addresses except for the CARP VIP.



  • I just posted I thought I fixed it, but it turns out I did not, so I removed my post. I'll look into the items you listed. It'll take me some time.



  • @Derelict Thanks for the tips. I got it to work. I didn't really understand what you meant, but I agreed it seemed like a NAT issue. I found a separate thread where you said the 'NAT Addresss" should be the VIP address. So, I made sure to change all the WAN1 and WAN2 mappings to the VIP addresses. (I tried this once in the past, but I didn't think it worked. I must have not refreshed it or something)

    https://forum.netgate.com/topic/119782/solved-setup-manual-outbound-nat-section-in-pfsense-docs-unclear-to-me/4

    Anyway, after using the VIP addresses in the NAT mappings, it fixed the WAN1 to be online at all times.

    Thanks!


Log in to reply