VIP address in NDP table on secondary node

arfid

Hi,
We have two pfSense firewalls in HA-mode. On all the public facing interfaces we have both IPv4 and IPv6 set statically. The firewalls have their own addresses (ending with :302::2 and :302::3 for IPv6 on one specific interface) and a shared VIP with CARP (ending in :302::1).

If we make changes to an interface (we were updating the "Block private networks" checkbox) on the secondary node (that is currently CARP backup), the IPv6 CARP VIP address end up in the NDP table on secondary node.
A manual CARP failover solves this and the IPv6 CARP VIP address is only advertised from the primary node (CARP master) again.

Screenshot from interface configuration on secondary node:
Skärmavbild 2022-08-15 kl. 14.32.43.png

Screenshot from Diagnostics > NDP Table on secondary node, before the configuration change:
Skärmavbild 2022-08-15 kl. 14.35.58.png

After toggling the checkbox Block private networks and loopback addresses on the interface and applying the changes, the NDP Table looks like this:
Skärmavbild 2022-08-15 kl. 14.38.56.png

I don't expect to see the :302::1 address here, since this firewall is still secondary. The CARP VIP is also still listed as backup (in Status > CARP (failover)).

Could this be due to some misconfiguration or should I report this as a bug? Can anyone help reproducing this issue?

Best regards, Arfid