1. Home
  2. pfSense® Software
  3. HA/CARP/VIPs
  4. Can't ping LAN VIP in CARP

Can't ping LAN VIP in CARP

  • M

    Hello,
    After (more or less) solving my last problem, I configured CARP following the tutorial. It works perfectly, EXCEPT that I can not ping the LAN VIP! If I try to ping it my packets get routed to the internet (traceroute shows this quite well, and I receive a "host unreachable" from routers on the net)… tcpdumping around in fact shows that the packets get in from the LAN if... and go out, correctly natted, from one of the WANs (in a perfect round-robin fashion). Except for this, all the traffic to the internet works flawlessly.
    So my question is: is the LAN VIP really ought to be non-reachable, or did I screw something badly?

    Cheers,
    Rod

    0
  • dotdash

    Sounds like you are running CARP and dual WAN. If you put in a firewall rule on the LAN that redirects all traffic to a particular gateway/pool, then traffic destined for CARP address will also get sent to the gateway/pool. I work around this by adding another rule to allow the local subnet using the default gateway. Something like:
    LAN firewall rules:
    Allow * src=lan net * dest=lan net * *
    Allow * src=lan net * * * gateway=load balancer

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy