Partial reachability in redundant carp setup.



  • Hi.

    I'm setting up a network using a pair of pfsense firewalls to handle redundant links from my ISP.

    They have provided a pair of links, and are using HSRP to provide a virtual IP between them.
    I'm then connecting these each to one pfsense box and running CARP between the pfsense boxes.

    The two links have IP's .226 and .227, and the HSRP VIP is .225.  .225/27 is then routed to me.
    I've set my pfsense boxes up with ip's .228, .229 and the CARP ip is .230.  Both have the gateway set to .225.

    This works, and I can access the internet etc.  However it only works for some IP addresses.  So for instance I can access 8.8.4.4, but I can't get to 8.8.8.8 (google's public DNS servers).  I tried l3's DNS servers (4.2.2.1-6) and the odd ones work, the even ones don't.
    cloudmonitor.ca.com says it's pingable from about 50% of the internet.

    I can't find any pattern to which addresses are reachable and which aren't.

    Has anyone seen anything like this or have any ideas to debug it?



  • Same problem here,
    I have 2 pfsense boxes on two uplinks but only a part of the internet can connect to my server behind the firewalls. Very strange. My ISP is using VRRP as far as I know which is probably the problem.



  • how about using 1 pfsense only (without all the CARP things)…...can 1 pfsense ping all the public ip ...?? if not, ISP problem, if yes, your pfsense CARP setup problem.