VIP / CARP on public WAN address not working



  • Hello,
    I want to setup a Master/Slave configuration on pfsense with virtual ips and carp. On my local networks everything seems to work fine (the vip answers to pings). But on my WAN interface it doesn't work.

    I have 2 pfsense nodes

    pfsense0 wan ip:11.11.111.187/27
    pfsense1 wan ip:11.111.111.186/27
    pfsense-group vip: 11.111.111.162/27

    My understanding of a failover firewall with vip/carp would be that I can reach the firewall on the pfsense-group ip and do not have to worry about which pfsense answers the request. Problem is: I can ping the pfsense0 wan ip and the pfsense1 wan ip, but pfsense-group vip doesn't answer to my pings.

    My Carp/Failover Status looks like this:
    pfsense0:

    pfsense1:

    So I would assume that something goes funny here. Can anyone put me on the right track to get this fixed?



  • Yeah, something funny is going on. Double check the setup. How are the wans connected? If there is an intermediate switch between you and the provider router, verify it is not blocking any traffic. You should be able to ping the WAN of the other node from each firewall.



  • The systems can't see each other on WAN, make sure they can communicate between each other on WAN and that'll go away.



  • Well, they can ping each other, so icmp is working fine. What else can I test?



  • The CARP multicast traffic doesn't make it across. Packet capture to watch the multicast (tcpdump will show as VRRP).



  • Looks like my hoster (who is hosting us a vmware vCloud) is blocking the traffic from the virtual mac address. The traffic on the internal interfaces gets through because it is handled differently on the hypervisors site.

    Any advise on alternative settings which will achieve the same thing?

    I'm not after hardware redundancy by itself, I was looking for a way that would let me upgrade my pfsense without a downtime.

    Thanks for your help so far.


Log in to reply