Hi all
I setup again a new HA cluster running on two Hyper-V boxes. I did the HA setup same as my other installations but this time i cannot reach the CARP VIP from the WAN side. It's a pretty standard setup at follows:
- Two ONPSense with LAN and WAN Interfaces
- MAC spoofing is enabled
- Added a CARP VIP on both interfaces
- Setup sync between HA pairs
- Failover is working tested from the LAN
- Ping to all Interfaces including the VIPs possible from LAN
What does NOT work now:
- I Can reach the real WAN IPs from the WAN transfer network but NOT the VIP
- I cannot use the WAN VIP in the outbound NAT rule > Internet is not reachable anymore
I did recreate all the VIPs, recreate the outbound NAT rule, rebooted several times, checked the Firewall logs, checked the TCPDump (not one package to the WAN VIP..).
Any ideas??
Many thanks!
I have exactly the same problem. I have to give the physical interfaces the required IP address, then the OPNsense works. Of course I no longer have a backup for that.
I can't see any traffic on the VIP's anywhere. How can you narrow down this error?
[mention]danbet [/mention] Do you also run OPNsense on Hyper-V?
I was able to solve it! I had to recreate the virtual switch on Hyper-V servers without SR-IOV enabled.
Quote from: liceo on December 10, 2023, 09:28:30 AM
I was able to solve it! I had to recreate the virtual switch on Hyper-V servers without SR-IOV enabled.
No, with VMware ESXi.
Ah, ok. But may you also try disable SR-IOV..
I have no such attitude. I can only choose SR-IOV passthrough as the network interface, but I chose E1000.
I'm seeing something similar on the 'inside' VIP but only for a Sonoff door sensor. If I configure the Sonoff unit to use the OPNSense physical IP of one of the units the Sonoff sensor starts working. I'm running OPNSense on Proxmox. What's really weird is only the Sonoff units are affected. I'll keep digging.
I find the solution for VMware ESXi: I had to enable the promiscuous mode for all the interfaces. For this I created port groups to use only for the VM's with OPNsense.
Quote from: liceo on December 10, 2023, 09:28:30 AMI was able to solve it! I had to recreate the virtual switch on Hyper-V servers without SR-IOV enabled.
I just spent three days trying to figure out why my WAN VIP was working on one HyperV host, but not the other. Turns out I had SR-IOV enabled on one host's vSwitch and not on the other one. As soon as I deleted and re-created with SR-IOV turned off, everything started working. I'm running HyperV on Server 2022 if anyone runs into the same thing.
Thanks for sharing this!!
Chad
I have a situation where our hosting provider filters out the CARP protocol including the IPs with VHID.
But with a normal IP alias it works.
Had to write my own script that tracks the CARP IP on the LAN side and adds or removes IP aliases on the WAN interfaces, as soon as the CARP status changes on LAN.
So far it works reliably, but it's not 100% optimal...