VIP address of carp not detected in other router

prisonier

Main pfsense ip wan 1 10.0.0.2/24 wan 2 10.0.1.2/24 vip 10.0.0.4/24 wan 1
backup pfsense ip wan 1 10.0.0.3/24 wan 2 10.0.1.3/24 vip 10.0.1.4 wan 2

if I'm using the forwarding and dmz to the normal ip working is ok but the goal is pfsense failover
if the main down it will route to backup to achieve that need to use the virtual ip.

any one have same issue thank you

viragomann

@prisonier
The VIP setting is transferred from the primary to the secondary via XMLRPC Sync. Did you configure this in System > High Availability?

prisonier

@viragomann
IM NOT SURE IS FROM PFSENSE / DRAYTEK / MIS CONFIGURATION.

the HA is fine its sync and transfer.

the senario
we have internet router the Huawei that device is connected to pfsense.
the HA is setup with dual wan.
all thing is working on Huawei can see the virtual 10.0.1.4

now we are replacing that Huawei to draytek
no configuration made in pfsense
when goin to the dmz of the draytek only 10.0.1.2 and 10.0.1.3 can see that ip is belong to the main and backup pfsense
the 10.0.1.4 is not showing.
the forwarding must be on that 10.0.1.4 coz that the virtual for the 2 pfsense so it will detect were to go the forward even the main go down.
if the forward is point to main pfsense when the main go down it will failover to backup. that's the problem.
the one forward is the IP of the main.

even i forward the 2 ip once's the main is down no more connection.

hope i explained it correctly. Thank you.

viragomann

@prisonier said in VIP address of carp not detected in other router:

when goin to the dmz of the draytek only 10.0.1.2 and 10.0.1.3 can see that ip is belong to the main and backup pfsense
the 10.0.1.4 is not showing

Try to ping this IP from the Draytek.
It should do an ARP request then. Maybe the IP as shown up after.

Anyway, I would expect, that you can forward traffic to the CARP VIP.

prisonier

@viragomann
from draytek itself can ping 10.0.1.2 and 10.0.1.3 but 10.0.1.4 cannot .

viragomann

@prisonier
So do an ARP request for 10.0.1.4 on the Draytek and see if this works.

The reason could be, that pfSense sends its packets for the CARP VIP from its physical MAC address, while if a devices requests the MAC for the CARP VIP it gets the virtual MAC. That's by design.
So the Draytek has to accept MAC changes.

I could imagine, that there is setting on the device to allow this. But I'm not familiar with it.
If you don't find it, search the web for "Draytek" and "CARP".

prisonier

@viragomann

you save the day bro...got it this need to be disable.

in Draytek

Spoofing Defense
Block ARP replies with inconsistent source MAC addresses.
Block ARP replies with inconsistent destination MAC addresses.
Decline VRRP MAC into ARP table.

viragomann

@prisonier
Yes, VRRP is very very similar to CARP. It behaves the same regarding the virtual MAC.

Glad that you got it sorted.