[SOLVED] pfSense CARP on KVM Hypervisor?



  • Hi,

    I'm running pfSense on a KVM Hypervisor (oVirt/FC19), which is working just fine. But for some reason CARP is not working.

    I can see the VRRP advertisements on my KVM hypervisor coming in from one pfSense VM…

    
    kvm# tcpdump -i vnet13 -s 1500 -n -X  |grep -i vrrp
    tcpdump: WARNING: vnet13: no IPv4 address assigned
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on vnet13, link-type EN10MB (Ethernet), capture size 1500 bytes
    11:17:46.386437 IP 10.10.10.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 2, prio 0, authtype none, intvl 1s, length 36
    11:17:47.353269 IP 10.10.10.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 2, prio 0, authtype none, intvl 1s, length 36
    11:17:48.363266 IP 10.10.10.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 2, prio 0, authtype none, intvl 1s, length 36
    
    

    … but they never reach the interface of the secondary pfsense VM. Besides that the CARP IP is not reachable from any other host. The ARP table shows this:

    
    kvm# arp -a | grep pfsense
    pfsense-carp.example.com (10.10.10.10) at <incomplete>on mytestint
    pfsense1.example.com (10.10.10.1) at 00:aa:44:00:xx:xx [ether] on mytestint</incomplete> 
    

    Is CARP supposed to work on KVM Hypervisors or are any specials tweaks and configs required to make it work?

    Thanks

    • Frank


  • OK, this was easy to solve. My KVM Hypervisor is oVirt… I wasn't aware that they introduced the network-filters feature which prevents guests from spoofing other mac-addresses than these which are assigned by the oVirt engine.

    I just needed to disable this anti-spoofing feature. Now uCARP and CARP is working as expected :-)

    More information is available from this post on the ovirt-users mailinglist.



  • Can you describe how you did this? Didn't find the hints on the user list. Thanks!



  • Just in case someone needs:

    1. In the ovirt-engine run: engine-config -s EnableMACAntiSpoofingFilterRules=false
    2. Restart the ovirt-engine service
    3. Halt and start the vms (a simple reboot does not work)
    4. Re-run the test

    Also, be sure the vms interfaces are e1000 (not virtIO)



  • i am also having issue with carp running kvm/qemu with libvirt.
    the devices see each other and choose master and slave respectively but if i turn one off the clients cannot access the virtual ip anymore.
    is this fix applicable in my case and if so how do i do it?


Log in to reply