Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VIPs not responding to clients

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    4 Posts 3 Posters 502 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Goneill
      last edited by

      I'm new to PfSense, and am going crazy trying to get VIPs working.

      I have two firewalls, in a lab environment. The primary one has WAN IP of 200.1.2.1/24 and LAN IP of 192.168.100.1/24. The secondary one has WAN IP of 200.1.2.2/24 and LAN IP of 192.168.100.2/24. They also have SYNC interfaces of 10.1.1.1/30 and 10.1.1.2/30 respectively.

      I have CARP set up and working for Master/Backup HA, and all that is syncing perfectly on the SYNC interfaces.

      I have created CARP VIPs for the WAN (of 200.1.2.254/24, vhid2) and LAN (of 192.168.100.254/24, vhid1). They are also syncing from Master to Backup.

      Whichever firewall is the master at any given time can ping the VIPs (192.168.100.254 and 200.1.2.254), but the backup firewall cannot (I'm not sure whether that is normal behaviour)

      All client devices on either the WAN or LAN networks can ping the primary interfaces of each firewall (192.168.100.1, 192.168.100.2, 200.1.2.1, 200.1.2.2) but cannot ping either of the VIPs. If I check the ARP table on the clients however I can see that they have successfully resolved the MAC address of their respective local VIP.

      To rule out any firewall rules being the issue I currently have the LAN and WAN rules set to permit any protocol, from any source, to any destination (it's a lab environment to there's no danger there).

      Is anyone able to assist me in identifying why the clients can communicate the with firewalls on their primary addresses, but not on the VIP addresses?

      1 Reply Last reply Reply Quote 0
      • RicoR
        Rico LAYER 8 Rebel Alliance
        last edited by

        I'd recheck all settings gradually with the documentation: https://docs.netgate.com/pfsense/en/latest/book/highavailability/index.html
        Did you watch the great HA hangout from Jim? https://www.netgate.com/resources/videos/high-availability-on-pfsense-24.html

        -Rico

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Almost always a problem with the switches.

          Apply typical troubleshooting techniques. ARP, packet captures, etc.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • G
            Goneill
            last edited by

            OK, so I didn’t manage to work out what was specifically causing the problem. I was using a relatively old version of pfsense (2.3.3). I downloaded the latest version and redid the setup from scratch, and it just worked!

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.