Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP VIP reachable only on slave node

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    1 Posts 1 Posters 138 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michele.verda
      last edited by

      Hello everyone,
      I need your help to solve a problem that has been bothering me for a long time.
      I have the following configuration:

      master pfSense virtual (Hyper-V)

      LAGG0 hn0 LAN	 
LAGG1 hn1 WAN

LAN->LAGG0.10  192.168.10.251  VLAN 10
SYNC->LAGG0.6  192.168.6.251   VLAN 6
WAN->LAGG1     192.168.2.251   VLAN 2

      slave pfSense physical (Dell R210 II)

      LAGG0 bce0 LAN	 
LAGG1 bce1 WAN

LAN->LAGG0.10  192.168.10.252  VLAN 10
SYNC->LAGG0.6  192.168.6.252   VLAN 6
WAN->LAGG1     192.168.2.252   VLAN 2

      ISP router (TP-Link Archer VR1210v)

      192.168.2.249

      CARP VIP

      LAN 192.168.10.250
WAN 192.168.2.250

      Hyper-V node is connected to a Mikrotik CRS317-1G-16S+ switch.
      Dell R210 II is connected to a Dell N2028P switch.

      There are other VLANs but for simplicity I have only listed the main ones.
      Each instance of fpSense can reach the others via ping on all VLANs.
      The synchronization of the configurations works correctly and I find everything set on the master is replicated on the slave.
      The test with tcpdump also works because I see the packets arriving on both nodes:

      tcpdump -i lagg1 -T carp carp
11:53:30.220414 IP 192.168.2.251 > vrrp.mcast.net: CARPv2-advertise 36: vhid=2 advbase=1 advskew=100 authlen=7 counter=9155971401149450034
11:53:31.637911 IP 192.168.2.251 > vrrp.mcast.net: CARPv2-advertise 36: vhid=2 advbase=1 advskew=100 authlen=7 counter=3871905497728603
11:53:33.091163 IP 192.168.2.251 > vrrp.mcast.net: CARPv2-advertise 36: vhid=2 advbase=1 advskew=100 authlen=7 counter=14449531790455933349

      The problem is that if I keep the master VM in persistent maintenance mode I can navigate from the clients. The CARP status correctly reports the backup state on the VM and master on the physical machine.
      If instead I disable the persistent maintenance mode on the VM, the states are reversed correctly but I can no longer ping the CARP VIP addresses from the LAN (and from all the other VLANs) and therefore I cannot navigate.
      In the ARP tables of the respective switches I can correctly see the MAC Addresses of the VIP interfaces.

      Do you have any suggestions on what could cause the problem and how to solve it?
      Thank you very much in advance.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.