PfSense Cluster on vSphere ESXi5: Master/Backup not working correctly



  • Hello all,

    I'd like to discuss here a problem with 2 pfSense firewalls in a cluster configuration,
    both firewalls set up as virtual machines on VMware ESXi5 hosts.

    Shortly said my problems is, that CARP does not work correctly,
    some interfaces are reported as "master" on the backup node.

    To describe the environment in a more detailled manner:

    pfSense Cluster:

    • consists of two VMs with pfsense 2.0.3

    • each pfSense node has 6 vNICs: WAN, LAN, OPT1 .. OPT4

    • the interfaces WAN and OPT1..OPT4 shall work in failover with CARP

    • the LAN interfaces are dedicated management interfaces (not clustered)

    Network topology:

    • the LAN and the WAN interfaces are connected via local vswitches to the physical network

    => for these interfaces the failover mechanism works correctly: one WAN interface is reported
          as master, the other as backup

    • the interfaces OPT1 .. OPT4 are connected to portgroups of a virtual distributed switch (VDS);
        the VDS is used only within the virtual environment

    => for the interfaces OPT1..OPT4 failover does not work, interfaces of both nodes are shown
          as master !!!!

    I'd like to add that I've set properties of the protgroups of the VDS to:

    • promiscous mode: accept
    • mac address changes: accepct
    • forged transmits: accept

    Does somebody know about this kind of problem?
    Or some hints for further investigations?

    Thanks a lot in advance,

    soenke



  • RTFM ;)

    http://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting#VMware_ESX.2FESXi_Users

    seems you forgotten

    1. If you have multiple physical ports on the same vswitch, you must enable the Net.ReversePathFwdCheckPromisc option to work around a vswitch bug where multicast traffic will loop back to the host, causing CARP to not function with "link states coalesced" messages. (See below)

    with perhaps("(see below)" the need to switch off/on promiscous mode on every vhost to enable this.


Log in to reply