Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] pfSense CARP on KVM Hypervisor?

    Scheduled Pinned Locked Moved Virtualization
    5 Posts 4 Posters 4.1k Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      fraenki
      last edited by

      Hi,

      I'm running pfSense on a KVM Hypervisor (oVirt/FC19), which is working just fine. But for some reason CARP is not working.

      I can see the VRRP advertisements on my KVM hypervisor coming in from one pfSense VM…

      
kvm# tcpdump -i vnet13 -s 1500 -n -X  |grep -i vrrp
tcpdump: WARNING: vnet13: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vnet13, link-type EN10MB (Ethernet), capture size 1500 bytes
11:17:46.386437 IP 10.10.10.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 2, prio 0, authtype none, intvl 1s, length 36
11:17:47.353269 IP 10.10.10.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 2, prio 0, authtype none, intvl 1s, length 36
11:17:48.363266 IP 10.10.10.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 2, prio 0, authtype none, intvl 1s, length 36

      … but they never reach the interface of the secondary pfsense VM. Besides that the CARP IP is not reachable from any other host. The ARP table shows this:

      
kvm# arp -a | grep pfsense
pfsense-carp.example.com (10.10.10.10) at <incomplete>on mytestint
pfsense1.example.com (10.10.10.1) at 00:aa:44:00:xx:xx [ether] on mytestint</incomplete>

      Is CARP supposed to work on KVM Hypervisors or are any specials tweaks and configs required to make it work?

      Thanks

      • Frank
      1 Reply Last reply Reply Quote 0
      • F Offline
        fraenki
        last edited by

        OK, this was easy to solve. My KVM Hypervisor is oVirt… I wasn't aware that they introduced the network-filters feature which prevents guests from spoofing other mac-addresses than these which are assigned by the oVirt engine.

        I just needed to disable this anti-spoofing feature. Now uCARP and CARP is working as expected :-)

        More information is available from this post on the ovirt-users mailinglist.

        1 Reply Last reply Reply Quote 0
        • J Offline
          jsvg
          last edited by

          Can you describe how you did this? Didn't find the hints on the user list. Thanks!

          1 Reply Last reply Reply Quote 0
          • R Offline
            ravnos_kun
            last edited by

            Just in case someone needs:

            1. In the ovirt-engine run: engine-config -s EnableMACAntiSpoofingFilterRules=false
            2. Restart the ovirt-engine service
            3. Halt and start the vms (a simple reboot does not work)
            4. Re-run the test

            Also, be sure the vms interfaces are e1000 (not virtIO)

            1 Reply Last reply Reply Quote 0
            • M Offline
              mosesBD
              last edited by

              i am also having issue with carp running kvm/qemu with libvirt.
              the devices see each other and choose master and slave respectively but if i turn one off the clients cannot access the virtual ip anymore.
              is this fix applicable in my case and if so how do i do it?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.