Carp with vlans: firewall question

  • Our setup: 2 pfsense boxes with carp (working just fine for years)
    Now, I'm testing with VLANs: I defined vlan 11 on the LAN interface: (master), (backup), (carp virtual ip)
    In the firewall rules, under the VLAN11 tab, I have no rules at all.
    On a client computer, which is on a vlan 11 switchport, I try a couple of pings:

    ping -> no reply
    ping -> no reply
    ping -> reply

    in the firewall logging, I see that the ping to is blocked indeed. When I create a rule to allow all traffic from vlan 11 to everywhere, all pings work. When I look under diagnostics -> states, I only see states for .1 and .2, not for .3.

    My conclusion: traffic for .1 and .2 (the master) is handled by the firewall, traffic for .3 (the backup) is not.

    I'm sure there is a perfectly good explanation, but I really don't see it… is there anyone who can explain it to me?

  • no rules = nothing allowed = no traffic

  • Yes, I know, but why does a ping to give me a reply then?

  • Hmm, seems like my question is not as easy as I thought it would be…

  • I created another vlan (12) today, and have the exact same issue. I can ping the backup-carp ip, but not that master nor the virtual. The firewall rules are empty, so nothing should be allowed. Any help or ideas are very welcome!

Log in to reply