OPNsense Forum

English Forums => High availability => Topic started by: clarknova on December 09, 2021, 12:12:05 am

Title: BFD doesn't work with CARP address
Post by: clarknova on December 09, 2021, 12:12:05 am
OPNsense 21.7.5
FRR plugin

I have a CARP pair of firewalls at two locations. There is a layer-2 connection between the two site with CARP interfaces configured at both ends. Additionally, each firewall has a PtP Wireguard connection to both firewalls at the other site. Thus, each firewall has three connections to the far site, CARP, wg0 and wg1.

Each firewall has an interface group configured with--you guessed it--the layer-2 interface, wg0 and wg1. On this interface group I have create a pass rule for:

Proto: UDP
Source: <group> net
Destination: "This firewall"
Destination port: 3784, 3785 and 4784 (BFD ports alias)

When I create a BFD peer for the Wireguard address at two ends of a tunnel, I see BFD "State Up" packets in both directions on the wg interface, as expected. But when I create a BFD peer for the CARP address on the master firewall at both ends of the layer-2 connection, I see BFD "State Down" packets from both direction on the layer-2 interface.

Why does BFD not work with a CARP address as peer? What is the recommended workaround? I could use the primary addresses as BFD peers, but I'm not sure what effect this would have on OSPF, which is configured to disable while the host is in CARP backup mode.
Title: Re: BFD doesn't work with CARP address
Post by: mimugmail on December 09, 2021, 08:05:47 am
CARP and BFD is tricky, usually with OSPF and BFD you dont even need CARP.
Title: Re: BFD doesn't work with CARP address
Post by: clarknova on December 09, 2021, 03:26:49 pm
Thanks. That makes sense I should probably get this working without CARP on the OSPF-active interfaces.