Lan and wan carp state mismatch
I am setting up two pfsense routers. on my lan side, I have three vlans. My wan side has no tagged traffic on it. Each interface has a carp address turned up, and pfsync is operating correctly.
Upstream are two VRRP switches. I have both my wan ports on my routers connected to a switch with both vrrp ports connected. Manual oubound nat is turned up, and all traffic is being mapped to the wan carp address.
The trouble comes from me testing the failover: at least half of the time they cease to pass packets. I figured out by watching the carp status that the lan side and wan side get out of phase, and the routing gets asymmetric. I verified this by pinging 126.96.36.199 from an internal host and running tcpdump on each router's wan port: the icmp echo request exits one router, and the echo reply comes back to the other router.
Is there a way to ensure all carp addresses switch over maintaining one router as active and the other passive? Should they already do so and something's not right?
I saw the section in the book about using ip aliases and tying them to the carp address, but that looks like aliases on the same interface as the carp address only.
By the way, both firewalls are using pfsync on another interface. Wouldn't pfsync
a) pass state info so they COULD do asymmetric routing?
b) completely switch the firewalls active/passive states?
I found my answer:
ensure the clocks are synced correctly. one had ntp turned off, and the wrong timezone set.
Just like the last line in the "configuration synchronization problems" section of the 2.1 book.