Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Carp-failover problem (with multiwan)

    HA/CARP/VIPs
    1
    1
    2.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      saerdna
      last edited by

      Hello,

      I set up a 2-node carp configuration with pfsense 1.2.3-RELEASE.

      Here ist the detailed setup:

      • 2-node carp setup with pfsense 1.2.3-RELEASE
      • public /24 Network from wan1-provider (split for wan1 and dmz)
      • wan1 (primary) link with /29 Net (from public /24 network), pfsense connected to cisco router from provider
      • wan2 (secondary) link with private /24 network connected to netgear dsl-router (1 public ip-adress via dsl-line)
      • dmz-subnet (routed via wan1-link) configured with public /25 network (from public /24 network)
      • lan-subnet with private ips (outbound-nat enabled to dmz, wan1, wan2)
      • sync subnet with private ips
      • for outgoing connections from LAN-subnet I configured 2 failover groups (loadbalancer) "wan1->wan2" and "wan2->wan1" assigned via firewall rules for different target ips

      Everything works fine, except one thing during the following failover-test:

      1. ping -t from lan to target ip reached via wan1->wan2 failover-group (uses wan1)
      2. ping -t from lan to target ip reached via wan2->wan1 failover-group  (uses wan2)
      3. disable carp on primary (carp-failover to secondary)

      The first ping (via wan1) continues to work without interruption, but the second ping (via wan2) stops working after failover.
      Why does the second ping stops working?

      If I stop the second ping, wait a minute, then start ping again, -> it works.
      If I switch back to primary-node the failed ping starts working again immediately.
      I can alos ping other target ips  that use wan2 immediately after failover, but not the one that was used before on primary node.

      The problem ist not only to ping, a http-request shows the same behaviour.

      For me this seems to be a state problem anywhere in my setup,
      1minute after carp-failover with NO ACTIVITY to the target-ip the connection works (the incorrect state was deleted).

      Any idea?

      Thanks

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.