Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Can't ping Virtual IP (LAN or WAN) except from CARP Master - Solved

    HA/CARP/VIPs
    3
    6
    27749
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      abtm last edited by

      After reading through the forum I could not find this issue addressed anywhere.

      I have two pfsense 1.2 firewalls set up in a CARP model redundancy model with three defined interfaces on both boxes (1 WAN, 1 LAN and 1 sync).    Firewall rules are allow any on sync and LAN and block only incoming unassigned IPs on WAS.  Since I want the configuration to be seamless, I have defined the LAN virtual IP as the DNS server and gateway within DHCP.  The problem is, only the pfsense box acting as the CARP master can actually ping the virtual IP.  For the sake of completeness, I also tried to ping the WAN virtual IP from the CARP backup and was unsuccessful.

      My gut tells me it is a simple fix but I am just not seeing it.

      Help please.

      1 Reply Last reply Reply Quote 0
      • GruensFroeschli
        GruensFroeschli last edited by

        Did you create a rule on the interface on which the VIP is that allows traffic to the VIP?

        ( http://forum.pfsense.org/index.php/topic,7001.0.html )

        1 Reply Last reply Reply Quote 0
        • A
          abtm last edited by

          LAN has the default rule of allow anything from the LAN network to anywhere (which I would think would include the LAN virtual IP).

          WAN has a rule added to allow ICMP from anywhere to anywhere (so that I can validate connectivity).

          1 Reply Last reply Reply Quote 0
          • H
            hoba last edited by

            Might be an arp-cache issue. Can you reset the devices in front of wan and behind lan to see if this is the case?

            1 Reply Last reply Reply Quote 0
            • A
              abtm last edited by

              Not an ARP issue.  I reset the environment and confirmed an empty arp cache before trying again to ping the virtual IP.  I tried to ping an invalid IP on the LAN subnet and was correctly told destination host unreachable.  On the other hand with the virtual IP I just get no response.

              Below is my ARP Cache for a device on the LAN subnet behind pfsense:

              Address                  HWtype  HWaddress          Flags Mask            Iface
              172.19.36.129            ether  00:00:5E:00:01:01  C                    eth0
              172.19.36.130                    (incomplete)                                      eth0
              172.19.36.251            ether  00:0C:29:53:65:CD  C                    eth0

              251=pfsense real LAN IP
              129=pfsense virtual IP
              130=invalid IP

              This is the overall configuration I am using for this test environment (not the same one I originally posted about but a simpler one I can use for faster troubleshooting):

              I have one machine on my home network running Ubuntu 7.10 with a single ethernet interface.  It is running VMware Server 1.0.5 which is running a single vm running pfsense 1.2.  The vm has 3 bridged ethernet interfaces one for WAN (sitting on my home LAN), one for LAN (defined as 172.19.36.251/25) and one to be used for sync (172.19.36.9/29).

              I have defined a virtual IP of 172.19.36.129/25 to operate on the pfsense LAN (on top of 172.19.36.251/25).
              My host machine is pulling an IP from pfsense so that it logically sits behind the firewall.  Its IP is 172.19.36.200/25.

              I have internet connectivity from the host machine.

              Since all three pfsense interfaces share the same physical wire, I disabled ARP broadcasts.  On the off chance that was the issue, I re-enabled them.  I am unable to ping the virtual IP either way.

              I am unsure where to go from here.  suggestions welcome.

              Thanks

              1 Reply Last reply Reply Quote 0
              • A
                abtm last edited by

                After more research, I found the issue I am experiencing is a known vmware bug.

                http://communities.vmware.com/thread/72678

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post

                Products

                • Platform Overview
                • TNSR
                • pfSense
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy