Carp IPs not accesible from outside but work from inside on 2.1



  • Hi, we have built two brand new virtual pfsenses on VMware running version 2.1 with CARP configured between them.

    Problem is that we can ping the CARP ips from inside but they are not accesible from outside the firewalls.

    Setup is like this:
    We have been given 3 ips from a /26 by our DC and a separate /26 routed to the last of the 3 IPs so our firewalls are configured as follows:

    Firewall 1
    Wan1 x.x.x.252 (VIP x.x.x.254) and Wan GW x.x.x.192 (privided by DC)
    LAN1 y.y.y.1 (VIP y.y.y.254)
    CARP z.z.z.1

    Firewall 2
    WAN2 x.x.x.253 (VIP x.x.x.254) and Wan GW x.x.x.192 as above
    LAN2 y.y.y.2 (VIP y.y.y.254)
    CARP z.z.z.2

    I can access the firewalls by their Wan IP but not by the VIP from outside, the VIP is accessible fine from inside though.
    I can't access any of the IPs in the /26 routed to the Wan VIP from outside
    CARP Sync and XMLRPC are working fine.
    Promiscuous mode is enabled on all the vswitches
    I have added allow all rules everywhere for testing but no joy.
    AON is enabled to make it fully routable setup but doesn't help.

    If I manually configure one of the firewall to use the x.x.x.254 VIP as their main Wan IP then it works fine and I can access all of the /26 ip range behind it from outside.
    Has anyone any idea where to go from here?



  • OK, so I think I've figured this out myself after many hours of troubleshooting.

    Be default I had set the VHID Group to 1 for the Wan VIP. I changed this to 10 and everything started working.
    I can only assume this is because somewhere up the line the Data Centre were also using a CARP IP on the same VHID and there was a clash resulting in failed routing of my /26 subnet to the VIP.

    Am I on the right track with this idea?



  • Changing VHID requires restart of CARP - disable, then enable in status>carp.
    Other than that, CARP uses shared password which should match on both ends.


Log in to reply