Print Page - CARP WAN VIP not reachable

Title: CARP WAN VIP not reachable
Post by: liceo on December 08, 2023, 04:57:21 PM

Hi all

I setup again a new HA cluster running on two Hyper-V boxes. I did the HA setup same as my other installations but this time i cannot reach the CARP VIP from the WAN side. It's a pretty standard setup at follows:

Two ONPSense with LAN and WAN Interfaces
MAC spoofing is enabled
Added a CARP VIP on both interfaces
Setup sync between HA pairs
Failover is working tested from the LAN
Ping to all Interfaces including the VIPs possible from LAN

What does NOT work now:

I Can reach the real WAN IPs from the WAN transfer network but NOT the VIP
I cannot use the WAN VIP in the outbound NAT rule > Internet is not reachable anymore

I did recreate all the VIPs, recreate the outbound NAT rule, rebooted several times, checked the Firewall logs, checked the TCPDump (not one package to the WAN VIP..).

Any ideas??

Many thanks!

Title: Re: CARP WAN VIP not reachable
Post by: danbet on December 09, 2023, 07:38:15 PM

I have exactly the same problem. I have to give the physical interfaces the required IP address, then the OPNsense works. Of course I no longer have a backup for that.

I can't see any traffic on the VIP's anywhere. How can you narrow down this error?

Title: CARP WAN VIP not reachable
Post by: liceo on December 09, 2023, 08:27:37 PM

[mention]danbet [/mention] Do you also run OPNsense on Hyper-V?

Title: Re: CARP WAN VIP not reachable
Post by: liceo on December 10, 2023, 09:28:30 AM

I was able to solve it! I had to recreate the virtual switch on Hyper-V servers without SR-IOV enabled.

Title: Re: CARP WAN VIP not reachable
Post by: danbet on December 11, 2023, 10:42:10 AM

Quote from: liceo on December 10, 2023, 09:28:30 AM
I was able to solve it! I had to recreate the virtual switch on Hyper-V servers without SR-IOV enabled.

No, with VMware ESXi.

Title: Re: CARP WAN VIP not reachable
Post by: liceo on December 11, 2023, 11:02:49 AM

Ah, ok. But may you also try disable SR-IOV..

Title: Re: CARP WAN VIP not reachable
Post by: danbet on December 11, 2023, 03:39:13 PM

I have no such attitude. I can only choose SR-IOV passthrough as the network interface, but I chose E1000.

Title: Re: CARP WAN VIP not reachable
Post by: DervMan on March 04, 2024, 10:04:35 AM

I'm seeing something similar on the 'inside' VIP but only for a Sonoff door sensor. If I configure the Sonoff unit to use the OPNSense physical IP of one of the units the Sonoff sensor starts working. I'm running OPNSense on Proxmox. What's really weird is only the Sonoff units are affected. I'll keep digging.

Title: Re: CARP WAN VIP not reachable
Post by: danbet on April 22, 2024, 09:08:59 AM

I find the solution for VMware ESXi: I had to enable the promiscuous mode for all the interfaces. For this I created port groups to use only for the VM's with OPNsense.

OPNsense Forum

English Forums => High availability => Topic started by: liceo on December 08, 2023, 04:57:21 PM