VIP + 1:1 NAT on CARP Setup Not Working When Slave Online

  • I have a few VIPs (IP Alias) along with the three CARP VIPs for CARP with Multi-WAN. Each of the regular IP alias VIPs represent external addresses on one WAN or the other. These simply 1 to 1 NAT to the respective web servers on ports dictated by simple firewall rules. 80, 443, etc.

    Now, everything works perfectly except for when I fire up the slave node, then I lose connectivity to all of my web services.

    When I power the slave server back off I also have to reboot the master server to get things working again.

    Status for CARP shows proper delegations where master shows "Master" for all of the CARP VIPs, and slave shows "Backup". I cannot find anything obvious in the logs either.

    I know im probably missing something simple. Any help is greatly appreciated.

  • Sounds like an IP conflict, like if you configured IP aliases on both systems. The gratuitous ARP sent in the process of bringing up the NIC post-reboot updates the upstream ARP cache to resolve the conflict (at least until the secondary is brought back up).

  • Thanks for the reply cmb!
    Yes, thats very likely the case. I finally RTFM and found that I need to setup these as CARP VIPs as well, which I did… then I brought the secondary pfSense box online and it decided to pick up some VPN connections that were already established on the master. The connections are listening on the CARP interfaces so Im not quite sure what happened this time.

    Looks like im going to be working on this over the weekend. I will check back and confirm as far as this particular issue goes.