Text only | Text with Images

OPNsense Forum

English Forums => High availability => Topic started by: mattes3344 on December 12, 2025, 08:30:18 AM

Title: CARP Backup Interface holds virtual IP
Post by: mattes3344 on December 12, 2025, 08:30:18 AM
Hello,

I have a problem with using CARP in unicast mode. When configuring CARP virual IPs with unicast communication, both the master and the backup device are holding the virtual IP.
My setup are two Opnsense 25.7.9_7 as VMs on different Hypervisors. Because of problems getting multicasts thru the virtual switches I tested with unicasts. But this results in the described problem.

This is how it looks on the VMs:

Code Select
root@fwint01-a:~ # ifconfig vtnet0
vtnet0: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: SRV (opt2)
options=880008<VLAN_MTU,LINKSTATE,HWSTATS>
ether bc:24:11:28:9d:5a
inet 10.5.200.2 netmask 0xffffff00 broadcast 10.5.200.255
inet 10.5.200.1 netmask 0xffffffff broadcast 10.5.200.1 vhid 10
inet6 fd01:1:1:c8::2 prefixlen 64
inet6 fe80::be24:11ff:fe28:9d5a%vtnet0 prefixlen 64 scopeid 0x1
carp: MASTER vhid 10 advbase 1 advskew 0
      peer 10.5.200.3 peer6 ff02::12
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=121<PERFORMNUD,AUTO_LINKLOCAL,NO_DAD>


root@fwint01-b:~ # ifconfig vtnet0
vtnet0: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: SRV (opt2)
options=880008<VLAN_MTU,LINKSTATE,HWSTATS>
ether bc:24:11:54:9e:5a
inet 10.5.200.3 netmask 0xffffff00 broadcast 10.5.200.255
inet 10.5.200.1 netmask 0xffffff00 broadcast 10.5.200.255 vhid 10
inet6 fd01:1:1:c8::3 prefixlen 64
inet6 fe80::be24:11ff:fe54:9e5a%vtnet0 prefixlen 64 scopeid 0x1
carp: BACKUP vhid 10 advbase 1 advskew 50
      peer 10.5.200.2 peer6 ff02::12
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=121<PERFORMNUD,AUTO_LINKLOCAL,NO_DAD>

So the fwint01-b is in Backup mode, but holds the virtual IP. This results in DUPs when sending pings to the connected network.
tcpdump shows, that CARP packets are received on the Backup node.

Code Select
root@fwint01-b:~ # tcpdump -n -i vtnet0 -t vrrp -T carp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vtnet0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
IP 10.5.200.2 > 10.5.200.3: CARPv2-advertise 36: vhid=10 advbase=1 advskew=0 authlen=7 counter=8611856153861731772
IP 10.5.200.2 > 10.5.200.3: CARPv2-advertise 36: vhid=10 advbase=1 advskew=0 authlen=7 counter=8611856153861731773
IP 10.5.200.2 > 10.5.200.3: CARPv2-advertise 36: vhid=10 advbase=1 advskew=0 authlen=7 counter=8611856153861731774

How can this be? Did I something wrong?

Thanks in advance for your help

Regards
Text only | Text with Images