Show Posts
1
High availability / CARP on WAN behaving weirdly...
« on: November 24, 2024, 11:04:00 pm »
Hi Everyone!
So, my setup is as follows:
2 OPNSense virtualized on Proxmox with 1 vNIC and 2 physical host NICs assigned.
The vNIC is trunked and has multiple vLANs crossing it, no issues there, everything's working wonderfully (CARP and the lot work fine there).
Then there's 1 NIC dedicated to the WAN connection (and this is the one's acting a bit tricky... more in a sec) and 1 NIC dedicated to CARP between the 2 VMs.
CARP's vIP configured for the internal LAN networks (multiple vLANs) and everything's sort of alright... but the WAN connection is just acting weirdly.
Whenever I enable CARP on the backup machine, all vIPs get on BACKUP mode, but a few second (minutes) later, WAN gets into MASTER, while on the main Firewall, it's also at MASTER!
I've checked physical cables, I've checked firewall status and logs but nothing comes up really as being blocked at any point...
attached the images of the configs.
On the log I see this:
An interesting aspect is that I don't even have OpenVPN configured, so I don't know wth openvpn wants with the lot but... OK...
I must admit I am lost... I don't know why this is happening and why it doesn't "see" that the other node has the WAN vIP up!
As a final point on the architecture explanation, in front of the 2 FW there's an ISP router which works absolutely fine and it has been working for years without a problem on the other *Sense firewall software.
So, my setup is as follows:
2 OPNSense virtualized on Proxmox with 1 vNIC and 2 physical host NICs assigned.
The vNIC is trunked and has multiple vLANs crossing it, no issues there, everything's working wonderfully (CARP and the lot work fine there).
Then there's 1 NIC dedicated to the WAN connection (and this is the one's acting a bit tricky... more in a sec) and 1 NIC dedicated to CARP between the 2 VMs.
CARP's vIP configured for the internal LAN networks (multiple vLANs) and everything's sort of alright... but the WAN connection is just acting weirdly.
Whenever I enable CARP on the backup machine, all vIPs get on BACKUP mode, but a few second (minutes) later, WAN gets into MASTER, while on the main Firewall, it's also at MASTER!
I've checked physical cables, I've checked firewall status and logs but nothing comes up really as being blocked at any point...
attached the images of the configs.
On the log I see this:
Code: [Select]
2024-11-24T19:26:56 Notice opnsense /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member " (192.168.17.2) (2@igb0)" has resumed the state "MASTER" for vhid 2
2024-11-24T19:26:56 Notice kernel <6>carp: 2@igb0: BACKUP -> MASTER (master timed out)
2024-11-24T19:22:35 Notice opnsense /usr/local/sbin/pluginctl: plugins_configure crl (execute task : openvpn_refresh_crls(1))
2024-11-24T19:22:35 Notice opnsense /usr/local/sbin/pluginctl: plugins_configure crl (execute task : core_trust_crl(1))
2024-11-24T19:22:35 Notice opnsense /usr/local/sbin/pluginctl: plugins_configure crl (1)
2024-11-24T19:22:35 Notice opnsense /usr/local/sbin/pluginctl: plugins_configure crl (execute task : openvpn_refresh_crls(1))
2024-11-24T19:22:35 Notice opnsense /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member " (192.168.18.2) (10@vtnet0_vlan10)" has resumed the state "BACKUP" for vhid 10
An interesting aspect is that I don't even have OpenVPN configured, so I don't know wth openvpn wants with the lot but... OK...
I must admit I am lost... I don't know why this is happening and why it doesn't "see" that the other node has the WAN vIP up!
As a final point on the architecture explanation, in front of the 2 FW there's an ISP router which works absolutely fine and it has been working for years without a problem on the other *Sense firewall software.