Adding CARP address makes Proxy ARP fail…?



  • Hi

    I have a firewall that currently has 20 Proxy ARP adresses configured on its WAN interface. A bunch og webservers is natted on the different IP's.

    Last night i wanted to test if I could change the Proxy ARP adresses to CARP adresses. I'm planning a failover firewall setup, and just wanted to test if this would work…

    Well, last night i changed one of the Proxy ARP adresses to CARP, and everything seemed to work. I could still access the website from the internet... 3 hours later i got a bunch of alarms from my surveillance system... All the websites on the Proxy ARP adresses was failing. The site behind the CARP ip was working.

    I then changed the CARP address back to Proxy ARP, and all the other sites started working again.

    Can someone tell me what the heck went wrong? There wasn't a single error entry in the system log.



  • Do you have both firewall configured to use carp?

    If not, my suggestion is to enable carp only when you have two pfSenses working together.



  • Yes i have… The CARP address was marked as MASTER on the primary firewall.

    My theory is that the Proxy ARP addresses are configured with a /32, while the CARP address is configured as a /27. I'm thinking the CARP address has taken "control" of the subnet. And when the ARP cache timed out at my ISP, the PARP addresses stopped working.



  • It's not recommended to configure proxy arp with /32 netmask.

    As you have both firewalls configured and syncing states, rules, carps, just finish setup and change all proxy arps to carps.


  • Rebel Alliance Developer Netgate

    None of that is correct.

    A CARP VIP is only a single VIP but MUST have a subnet mask that matches the actual subnet it is inside of.

    Using Proxy ARP VIPs with a /32 mask is fine - it's just a single IP. If you use a /27 of Proxy ARP VIPs it would make the entire subnet of VIPs, but that only works with Proxy ARP VIPs, no others.

    You also cannot use Proxy ARP VIPs on a CARP cluster with a master and slave box. You would be creating an IP conflict if both systems advertise the IPs with Proxy ARP.

    If you are using a carp cluster, you must use CARP type VIPs, or "other" type VIPs (if additional subnet addresses are routed to your main CARP IP) for NAT and other actions.

    If your CARP VIP and Proxy ARP VIPs did not overlap on the same IP, they cannot conflict. If there was a conflict, it was from running Proxy ARP VIPs on both the master and slave.



  • @jimp:

    None of that is correct.

    A CARP VIP is only a single VIP but MUST have a subnet mask that matches the actual subnet it is inside of.

    Sorry for that, I confused the concepts of proxy arp with  ip alias  :P



  • I was after some clarification if that is ok.

    I have a /24 available on the WAN and I am using carp Master/Slave. I am trying to add additional IP's to the WAN port in the /24 which also contains the CARP master IP and I am trying to figure out what VIP type I should be using. Proxy ARP and IP Alias causes ARP issues where the Slave has ARPed first.

    What part am I missing?


  • Rebel Alliance Developer Netgate

    If the VIP must be on both nodes, it must be a CARP type VIP. You can either add CARP VIPs directly, using a unique VHID for each one – or alternately, add them as IP Aliases on top of the CARP VIP interface (a new thing in 2.x) that way you don't have to have a ton of VHIDs broadcast every second.



  • I created the CARP address and put the subnet as /24 and then I address the additional VIP as IP alias. From what I understand this is correct but the trouble is the upstream router has the MAC for the backup firewall not the master for the VIP ip alias addresses.



  • @Jonb:

    I created the CARP address and put the subnet as /24 and then I address the additional VIP as IP alias. From what I understand this is correct but the trouble is the upstream router has the MAC for the backup firewall not the master for the VIP ip alias addresses.

    Why don't you use only carp ips instead of Ip alias.

    The upstream router will see mac from master node.



  • because that means 253 Vhids



  • @Jonb:

    because that means 253 Vhids

    It's a one time job to get a full redundante firewall.


  • Rebel Alliance Developer Netgate

    If you use IP Alias on the WAN interface, that won't work, you have to add the IP alias VIPs and select their interface as your CARP VIP on WAN.

    You didn't specify if that is what you had done, but that is the most likely way to have broken it.



  • Light bulb lol  :) Thanks I understand now so select IP alias and rather than select WAN as the interface it will be X.X.X.X (Carp IP int)

    That will explain a lot as I didn't think it could or meant to be done that way.


  • Rebel Alliance Developer Netgate

    Yeah that's a new trick for 2.x. Each CARP VIP causes a VHID broadcast once per second. So if you have 250 VIPs, that's quite a lot of traffic. Plus you can't have more than 254 per segment.

    So we made it so that you can select the CARP VIP as the "interface" for the IP alias, that way the alias is actually made on the vipx interface and not the physical interface.

    That way it can fail over all at once when the CARP VIP switches, only requires one VHID, and so on. So in the long run it's faster to do multiple IPs that way, plus you bypass the normal limits of CARP, you just need to remember to pick the CARP entry as the interface :-)



  • fantastic thanks helps out big time.



  • @jimp:

    Yeah that's a new trick for 2.x. Each CARP VIP causes a VHID broadcast once per second. So if you have 250 VIPs, that's quite a lot of traffic. Plus you can't have more than 254 per segment.

    So we made it so that you can select the CARP VIP as the "interface" for the IP alias, that way the alias is actually made on the vipx interface and not the physical interface.

    That way it can fail over all at once when the CARP VIP switches, only requires one VHID, and so on. So in the long run it's faster to do multiple IPs that way, plus you bypass the normal limits of CARP, you just need to remember to pick the CARP entry as the interface :-)

    Great feature!!!  :D

    I'll test it.


  • Rebel Alliance Developer Netgate

    @marcelloc:

    Great feature!!!  :D

    I'll test it.

    We've had a few customers using it in production since we added it, it works quite well. :-)



  • Cool thanks I can confirm this working.


Log in to reply