Multi WAN using CARP interface for Gateway Monitor ?

  • Dear folks,

    I have an issue with a setup I've been doing where I have a LB1 and LB2.
    LB1 is a primary carp master doing load balancing, and LB2 is a hot standby.

    I am using alternate monitoring IPs, which add static routes to the host out each gateway (correct).

    However, I noticed that LB2 cannot monitor the second gateway when it's in the backup state.
    The routing table shows that it's using vip11 as interface to the monitor IP rather than em3.
    The same thing happens on LB1, only that LB1 is the master and can actually initiate traffic from vip11.
    Note that this doesn't happen for gateway 1.

    I am sure it's something simple I'm missing, but is there any way to rectify this?

    Thanks in advance for your answer!

  • Maybe you have to setup an outbound nat/rule to reach your monitor ip.

  • I apologize for the late reply, I never got a notification for your answer.

    I don't have a NAT for the monitor IP on that interface, I have only NAT via "Interface Address" as in the screenshot below.

    Is that wrong?

  • I think that there is no need to outbound nat for

    Do you need nat only on dmz2?

  • I apologize for the confusion.
    NAT is enabled for DMZ1, too, with the same entries (of course NAT with DMZ1 address). But DMZ2 is the interface in question.
    On the DMZ1 interface, the backup carp member uses the correct (em0) interface for the route to the monitor IP.
    Only for DMZ2 (em1) it uses the vip11 interface for the static route to the monitor IP.

    It does the same on the master carp member, however, since it is the master, it can actually successfully use vip11 to ping the monitor IP.

    I'm quite confused as to why this issue occurs sometimes.
    It might also be notable that on the DMZ2 interface I recently had another problem where the master stopped advertising the CARP IP and the backup falsely promoted itself to master.
    This only happened on the DMZ2 interface though. After re-saving the CARP IP, the master started broadcasting priority 0 again.

    I'm sorry if I'm mixing two issues here, but I thought it might be pertinent since both relate to CARP issues.

  • As you replicate rules and nat While using carp, the nat for monitor ip must be configured to interface address instead carp address. This way both(Master and slave) box could check ip.

  • Thanks for your speedy answer!

    The NATs are indeed mapped to the interface address, not the virtual CARP IP, as seen in the detail screenshot.
    That is why I'm confused as to why this particular problem is occurring.

  • See if you can ping this monitor ip on second pfsense console.

  • Thanks for your reply.

    I can only ping it if I specify the source address as the em1 address, because otherwise it'll attempt using the CARP address.
    I have attached a screenshot of the routing table where it shows that vip11 is used rather than em1 for the routes.

    Of course gateways and are in different subnets (/28)

