Can't ping Virtual IP (LAN or WAN) except from CARP Master - Solved

abtm

After reading through the forum I could not find this issue addressed anywhere.

I have two pfsense 1.2 firewalls set up in a CARP model redundancy model with three defined interfaces on both boxes (1 WAN, 1 LAN and 1 sync).    Firewall rules are allow any on sync and LAN and block only incoming unassigned IPs on WAS.  Since I want the configuration to be seamless, I have defined the LAN virtual IP as the DNS server and gateway within DHCP.  The problem is, only the pfsense box acting as the CARP master can actually ping the virtual IP.  For the sake of completeness, I also tried to ping the WAN virtual IP from the CARP backup and was unsuccessful.

My gut tells me it is a simple fix but I am just not seeing it.

Help please.

GruensFroeschli

Did you create a rule on the interface on which the VIP is that allows traffic to the VIP?

( http://forum.pfsense.org/index.php/topic,7001.0.html )

abtm

LAN has the default rule of allow anything from the LAN network to anywhere (which I would think would include the LAN virtual IP).

WAN has a rule added to allow ICMP from anywhere to anywhere (so that I can validate connectivity).

hoba

Might be an arp-cache issue. Can you reset the devices in front of wan and behind lan to see if this is the case?

abtm

Not an ARP issue.  I reset the environment and confirmed an empty arp cache before trying again to ping the virtual IP.  I tried to ping an invalid IP on the LAN subnet and was correctly told destination host unreachable.  On the other hand with the virtual IP I just get no response.

Below is my ARP Cache for a device on the LAN subnet behind pfsense:

Address                  HWtype  HWaddress          Flags Mask            Iface
172.19.36.129            ether  00:00:5E:00:01:01  C                    eth0
172.19.36.130                    (incomplete)                                      eth0
172.19.36.251            ether  00:0C:29:53:65:CD  C                    eth0

251=pfsense real LAN IP
129=pfsense virtual IP
130=invalid IP

This is the overall configuration I am using for this test environment (not the same one I originally posted about but a simpler one I can use for faster troubleshooting):

I have one machine on my home network running Ubuntu 7.10 with a single ethernet interface.  It is running VMware Server 1.0.5 which is running a single vm running pfsense 1.2.  The vm has 3 bridged ethernet interfaces one for WAN (sitting on my home LAN), one for LAN (defined as 172.19.36.251/25) and one to be used for sync (172.19.36.9/29).

I have defined a virtual IP of 172.19.36.129/25 to operate on the pfsense LAN (on top of 172.19.36.251/25).
My host machine is pulling an IP from pfsense so that it logically sits behind the firewall.  Its IP is 172.19.36.200/25.

I have internet connectivity from the host machine.

Since all three pfsense interfaces share the same physical wire, I disabled ARP broadcasts.  On the off chance that was the issue, I re-enabled them.  I am unable to ping the virtual IP either way.

I am unsure where to go from here.  suggestions welcome.

Thanks

abtm

After more research, I found the issue I am experiencing is a known vmware bug.

http://communities.vmware.com/thread/72678