• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Incorrect ARP entry for directly-connected VRRP BACKUPs' non-VIPs - why?

Scheduled Pinned Locked Moved L2/Switching/VLANs
1 Posts 1 Posters 179 Views 1 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W Offline
    wedwards
    last edited by Apr 28, 2025, 4:51 PM

    Disclaimer: this may actually be a BSD networking question, but posting here as I'm not sure yet.

    Situation

    • pfSense has IP 185.233.175.160
    • lb1-1.ha.cyberfusion.cloud has IP 185.233.175.139
    • lb1-0.ha.cyberfusion.cloud has IP 185.233.175.175
    • lb1-{0,1}.ha.cyberfusion.cloud share the VIP 185.233.175.190 (VRRP)
    • lb1-1.ha.cyberfusion.cloud is VRRP BACKUP

    Problem

    • lb1-1.ha.cyberfusion.cloud has IP 185.233.175.139 (not the VIP!)
    • lb1-1.ha.cyberfusion.cloud is VRRP BACKUP
    • IP 185.233.175.139 is on ens18
    • ens18 has MAC address ea:c3:bc:0c:e4:09
    • pfSense's ARP table contains MAC address 00:00:5e:00:02:80, which is the VRRP interface's MAC address (vrrp6.119@ens18)

    Question: why is 185.233.175.139's ARP entry 00:00:5e:00:02:80 (interface vrrp6.119@ens18, which does not have the IP address!), rather than ea:c3:bc:0c:e4:09 (interface ens18, the interface that the IP address is actually on)?

    Other directly-connected machines do have a correct ARP entry:

    root@lb1-0:~# ip -4 neig list | grep 185.233.175.139
185.233.175.139 dev ens18 lladdr ea:c3:bc:0c:e4:09 REACHABLE

    ... while pfSense's ARP entry looks like this:

    185.233.175.139   00:00:5e:00:02:80    lb1-1.ha.cyberfusion.cloud

    Interface configuration on lb1-1.ha.cyberfusion.cloud

    2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether ea:c3:bc:0c:e4:09 brd ff:ff:ff:ff:ff:ff
    altname enp0s18
    inet 185.233.175.139/25 scope global ens18
       valid_lft forever preferred_lft forever
    inet6 2a0c:eb00:0:f7:185:233:175:139/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::e8c3:bcff:fe0c:e409/64 scope link
       valid_lft forever preferred_lft forever

24: vrrp6.128@ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:00:5e:00:02:80 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::e8c3:bcff:fe0c:e409/64 scope link nodad deprecated
       valid_lft forever preferred_lft 0sec

    Good to know

    • This is NOT about VRRP on pfSense itself!
    • This may actually be a BSD networking question.
    • The incorrect ARP entry is NOT for the VIP, but for an IP address on ens18 (the VRRP interface's parent interface).
    • NDP entries are correct, i.e. this problem does not exist for IPv6
    • This happens for all directly-connected VIP addresses. lb1-{0,1}.ha.cyberfusion.cloud is just one of those cases.
    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received