Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HA CARP setup, WAN not working

    HA/CARP/VIPs
    3
    3
    748
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pecker88
      last edited by pecker88

      I followed this guide verbatim:
      https://vorkbaard.nl/how-to-set-up-pfsense-high-availability-hardware-redundancy

      I have 5 static IPs, (/24 block) and dedicated hardware for both pfSense boxes. Each WAN interface has its own static IP. I'm able to reach the internet on both boxes, no issues. SYNC interface works fine, LAN CARP VIP works fine also.

      primary FW:
      1 static IP on WAN interface
      1 CARP VIP on WAN interface
      2 IP Aliases on CARP VIP

      When I enter CARP maintenance mode on primary FW, all CARP interfaces show as "Master" on secondary FW, as expected. LAN communication continues to work. But, continuous WAN pings to google DNS IP on a client fails. The secondary FW is not able to reach the internet via the outbound NAT CARP VIP.

      I enabled firewall logging on inbound rules that fwd traffic to various web/application servers. And, those firewall log entries only appear on the primary FW. I'm not seeing incoming traffic for those rules on the secondary FW. It's like they are still being passed to the primary FW, even though it's CARP status is "backup"?

      I did a packet capture on WAN, primary/secondary firewalls and didn't see any duplicate VHIDs.

      I don't know what else to try?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        I would suggest following this:

        https://docs.netgate.com/pfsense/en/latest/solutions/reference/highavailability/index.html

        CARP issues are pretty invariably a misconfiguration or a layer 2 switching problem.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • awebsterA
          awebster
          last edited by

          As @Derelict suggests, consult the docs, and to that I would add that it is important to remember that at the base of Ethernet communication, it is between two mac addresses, layer 3 comes after, consequently, you need to make sure that the layer 2, mac address visibility is as you expect it to be on the devices facing the CARP cluster, both upstream and downstream, and as well as on pfSense boxes.
          Packet captures (detail level full) are a great way to check this, and pay particular attention to the ethernet addresses.

          –A.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.