  • Hi everyone,

    We have a problem to setup two pfsense with CARP VIPs.

    The network configuration is not really complicated.

    I have a subnet with public IPs: ***.***.124.240/29

    • Gateway: ***.***.124.241
    • WAN CARP VIP: ***.***.124.242
    • pfSense #1 WAN IP: ***.***.124.243
    • pfSense #2 WAN IP: ***.***.124.244

    And I have a private subnet:

    • LAN CARP VIP: (gateway)
    • Switch Level 3:
    • pfSense #1 LAN IP:
    • pfsense #2 LAN IP:

    I configured the sync' between the pfSense and it works through a dedicated interface (named "pfSync") with a private subnet no problem here :)

    I followed this tutorial to create my failover/redundancy system:

    The pfSync part is ok, I create the CARP VIPs (LAN and WAN) and I setup the advanced outbound NAT like this:

    Interface: LAN
    Source port: *
    Destination: *
    Destination port: *
    NAT address:
    NAT port: *
    Static port: NO

    (I followed this: "Edit the automatically added rule for LAN. Pick a shared CARP virtual IP address as the Translation IP address")

    Now, the pfSense boxes are plugged on two level 3 switches (LAN side). An behind those switches, I have two level 2 switches.

    With this configuration, a server which is plugged on a L2 switch cannot ping the (LAN CARP VIP) but can ping (L3 switch).

    If I plug the same server on a L2 switch which is directly connected to the two pfSense boxes, I can ping the LAN CARP VIP.

    So, I thought that the problem come from the Level 3 switch and indeed, I found that the Level 3 don't ping the LAN CARP VIP !

    And I did something: I create a entry in the ARP table of my L3 switch: I indicated the LAN CARP VIP and the mac address assiocated and IT WORKED :)

    Here is my problem: how the L3 and the pfSense boxes can communicate without create this entry ? How is it possible that my computer can ping the VIP but not my L3 ? My computer communicates on level 2 and is the only way to ping a CARP VIP ?

    Thanks for your help.

  • So ARP is failing on the L3 switch, almost certainly because it isn't issuing an ARP request (otherwise it wouldn't be the only thing that didn't work). Maybe a conflicting IP or incorrect mask on the switch. Something in that switch's config isn't right.

  • Hi CMB,

    Thanks for helping me.

    Since I read your answer, I verified all my configuration on my L3 switch and I found nothing that can help me…

    I did another test: I tried on the WAN CARP side and I have the same problem, we can't ping the ***.***.124.242 but ***.***.124.243 and ***.***.124.244, yes, we can.

    Indeed, the switch of my ISP can't find the WAN CARP. It is odd that our switches (mine and ISP's) can't ping those VIPs, no ? We both have misconfigured switches ?

  • I found something. The CARP is a multicast protocol and on my switch, multicast is not activated. Could the problem come from this ?

  • It's only multicast between the firewalls, that should have no implications on whether or not you get ARP from that IP.

