[SOLVED] pfSense CARP on KVM Hypervisor?
I'm running pfSense on a KVM Hypervisor (oVirt/FC19), which is working just fine. But for some reason CARP is not working.
I can see the VRRP advertisements on my KVM hypervisor coming in from one pfSense VM…
kvm# tcpdump -i vnet13 -s 1500 -n -X |grep -i vrrp tcpdump: WARNING: vnet13: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vnet13, link-type EN10MB (Ethernet), capture size 1500 bytes 11:17:46.386437 IP 10.10.10.1 > 188.8.131.52: VRRPv2, Advertisement, vrid 2, prio 0, authtype none, intvl 1s, length 36 11:17:47.353269 IP 10.10.10.1 > 184.108.40.206: VRRPv2, Advertisement, vrid 2, prio 0, authtype none, intvl 1s, length 36 11:17:48.363266 IP 10.10.10.1 > 220.127.116.11: VRRPv2, Advertisement, vrid 2, prio 0, authtype none, intvl 1s, length 36
… but they never reach the interface of the secondary pfsense VM. Besides that the CARP IP is not reachable from any other host. The ARP table shows this:
kvm# arp -a | grep pfsense pfsense-carp.example.com (10.10.10.10) at <incomplete>on mytestint pfsense1.example.com (10.10.10.1) at 00:aa:44:00:xx:xx [ether] on mytestint</incomplete>
Is CARP supposed to work on KVM Hypervisors or are any specials tweaks and configs required to make it work?
OK, this was easy to solve. My KVM Hypervisor is oVirt… I wasn't aware that they introduced the network-filters feature which prevents guests from spoofing other mac-addresses than these which are assigned by the oVirt engine.
I just needed to disable this anti-spoofing feature. Now uCARP and CARP is working as expected :-)
More information is available from this post on the ovirt-users mailinglist.
Can you describe how you did this? Didn't find the hints on the user list. Thanks!
Just in case someone needs:
1. In the ovirt-engine run: engine-config -s EnableMACAntiSpoofingFilterRules=false
2. Restart the ovirt-engine service
3. Halt and start the vms (a simple reboot does not work)
4. Re-run the test
Also, be sure the vms interfaces are e1000 (not virtIO)
i am also having issue with carp running kvm/qemu with libvirt.
the devices see each other and choose master and slave respectively but if i turn one off the clients cannot access the virtual ip anymore.
is this fix applicable in my case and if so how do i do it?