CARP VIP not working properly, do not respond ping and do not has connectivity



  • Hi! I've two pfsense firewalls using pfsync and Carp. This firewall set should receive traffic from two wireless lans. This is working almost ok.

    I have the network X on bce2_vlan2064 and network V on bce2_vlan2065. Both come tagged from a MSM720 Wireless Controller (there is a switch where are plugged both boxes and the wireless controller).

    On pfSense:

    Master:
    vlan_2064: interface has 10.129.64.252/24
    vlan_2065: interface has 10.129.65.252/24
    CARP VIP on vlan_2064: 10.129.64.254/24
    CARP VIP on vlan_2065: 10.129.65.254/24

    Slave:
    vlan_2064: interface has 10.129.64.253/24
    vlan_2065: interface has 10.129.65.253/24
    Backup on CARP VIPs.

    They should operate in the same way. But the problem is with the HA configuration for network V on bce2_vlan2065. Although CARP status shows that everything is ok, from slave box I can't ping the VIP (10.129.65.254/24). On network X this works fine and I can ping VIP 10.129.64.254/24 normally.

    Some information:

    • I've set rules to permit all traffic on these interfaces being tested

    • on network X, I can ping all addresses, on master interface, on slave interface and the VIP 10.129.64.254.

    • on network V, I CANNOT ping the VIP 10.129.64.254

    • I can ping the interface address, from master to slave and from slave to master

    • Carp status is ok, one master, one backup.

    • But the network doesn't work (gateway, proxy, dns etc are on .254 IPs). So, once I can't ping the VIP from the slave, I'm thinking these services aren't working because this connectivity problem.

    Tests already done:

    • tcpdump on master shows the packets arriving (just echo request)

    • there is no echo reply (why doesn't master (that has the VIP) send the reply?)

    • I checked with tcpdump and these replies are not going to no other interface

    • I have the firewall rules configured (I'm permiting all icmp on this interface)

    • All vrrp announcements are ok, I can see with tcpdump on both boxes.

    • using arping I can do ARP from slave to master (slave ask who has the VIP, master answer with the mac address pattern of CARP), but the ping doesnt works.

    What I thing more weird is that I can see the packages arriving on master, with tcpdump, but I cannot see no answer. No log is generated (no block). The packets simply disappear.

    And, the network X, that was configured in the same way, is working perfectly, with HA.



  • Hi, I found what was going on.

    On my network V, where the VIP didn't reply ping, I have one Captive Portal. So, just to remeber:

    10.129.65.252 is the IP of master
    10.129.65.253 is the IP of slave
    10.129.65.254 is the Carp VIP (DNS forwarder, Proxy, Gateway etc).

    If the Captive Portal is enabled, the interface drop all the packets silently. No log is generated. In this scenario, when we need one Carp VIP being the Captive Portal, Gw, DNS, DHCP etc, we must permite this VIP on Captive Portal section:

    Services -> Captive Portal -> choose the CP -> Allowed IP Address and add the VIP.

    Now it's working as expected.


  • Rebel Alliance Developer Netgate

    I just noticed this and put a fix in for it yesterday: https://redmine.pfsense.org/issues/4903