Pings to the internet stop after a CARP faillover



  • This is my setup:

    Everything is running inside a new VMware vSphere environment

    WAN
    WAN Virtual CARP IP: x.x.x.190
    PFSense 1 WAN: x.x.x.188
    PFSense 2 WAN: x.x.x.189

    LAN
    LAN Virtual CARP IP: 192.168.110.253/24
    PFSense 1 LAN: 192.168.110.251
    PFSense 2 LAN: 192.168.110.252

    PFSense 1 is the master and all settings are set to sync over a separate network between the two firewalls (pfsync) – this is working as changes made to pfsense 1 are replicated to pfsense 2

    Workstation 1 (Windows)
    192.168.110.4/24
    Gateway: 192.168.110.253 (The LAN Virtual CARP IP

    The problem
    On Workstation 1 I set a constant ping to 8.8.8.8 (Google’s public DNS)
    On Workstation 1 I set a constant ping to 192.168.110.253 (The virtual LAN IP)

    I “unplug” PFSense 1 and PFSense 2 becomes the master but the pings to 8.8.8.8 stop and don’t continue.

    I did this again but was pinging 192.168.110.253 (The virtual LAN IP) which stopped for a second (1 dropped) then continue automatically which is as expected.

    It looks like the pings to 8.8.8.8 are dropped and do not continue.
    UPDATE: Once the pings to 8.8.8.8 stop working, if I then ping 8.8.4.4 this works but the 8.8.8.8 ones still wont
    UPDATE: I've tried this on a linux machine and pinging 8.8.8.8 stops when the firewall is disconnected and doesn't resume, however it does work again if I restart the ping to 8.8.8.8 (unlike on the windows machine) - I also notice that I'm getting DUP! pings on the linux machine when the master is online.

    Does anyone know what could be causing this?



  • Sounds like what happens when you don't have your outbound NAT configured to NAT to a CARP IP, it's still sending out via the primary's WAN IP which won't reach the secondary.



  • Many thanks for your help on this.
    I've set outbound NAT as below on the master (which replicated to the backup) but still get the same problems, does this look right?



  • Apologies, this is working after I select this:

    No more DUP! packets when pinging from a Linux machine and failover to the backup drops a few pings then automatically recovers.

    Hopefully this will help someone else.



  • drat, same issue here, but didn't fix it for me.  the moment I set this NAT rule I get nothing though.


Log in to reply