4. [SOLVED] pfSense CARP on KVM Hypervisor?

[SOLVED] pfSense CARP on KVM Hypervisor?

  • F

    Hi,

    I'm running pfSense on a KVM Hypervisor (oVirt/FC19), which is working just fine. But for some reason CARP is not working.

    I can see the VRRP advertisements on my KVM hypervisor coming in from one pfSense VM…

    
kvm# tcpdump -i vnet13 -s 1500 -n -X  |grep -i vrrp
tcpdump: WARNING: vnet13: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vnet13, link-type EN10MB (Ethernet), capture size 1500 bytes
11:17:46.386437 IP 10.10.10.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 2, prio 0, authtype none, intvl 1s, length 36
11:17:47.353269 IP 10.10.10.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 2, prio 0, authtype none, intvl 1s, length 36
11:17:48.363266 IP 10.10.10.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 2, prio 0, authtype none, intvl 1s, length 36

    … but they never reach the interface of the secondary pfsense VM. Besides that the CARP IP is not reachable from any other host. The ARP table shows this:

    
kvm# arp -a | grep pfsense
pfsense-carp.example.com (10.10.10.10) at <incomplete>on mytestint
pfsense1.example.com (10.10.10.1) at 00:aa:44:00:xx:xx [ether] on mytestint</incomplete>

    Is CARP supposed to work on KVM Hypervisors or are any specials tweaks and configs required to make it work?

    Thanks

    • Frank
    0
  • F

    OK, this was easy to solve. My KVM Hypervisor is oVirt… I wasn't aware that they introduced the network-filters feature which prevents guests from spoofing other mac-addresses than these which are assigned by the oVirt engine.

    I just needed to disable this anti-spoofing feature. Now uCARP and CARP is working as expected :-)

    More information is available from this post on the ovirt-users mailinglist.

    0
  • J

    Can you describe how you did this? Didn't find the hints on the user list. Thanks!

    0
  • R

    Just in case someone needs:

    1. In the ovirt-engine run: engine-config -s EnableMACAntiSpoofingFilterRules=false
    2. Restart the ovirt-engine service
    3. Halt and start the vms (a simple reboot does not work)
    4. Re-run the test

    Also, be sure the vms interfaces are e1000 (not virtIO)

    0
  • M

    i am also having issue with carp running kvm/qemu with libvirt.
    the devices see each other and choose master and slave respectively but if i turn one off the clients cannot access the virtual ip anymore.
    is this fix applicable in my case and if so how do i do it?

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy