CARP implementation in weird setup

[mmaridev]

Hi,
I'm trying to setup OPNsense to route public IPs to a specific interface but still keeping them subject to the firewall rules.

What's working

Setting up a static ARP on the wan switch or manually telling the upstream to route through the OPNsense WAN IP. In this situation the WAN IP address of OPNsense is a CGNAT address /32 and he correctly receives packages for the public IPs. I then

Code Select Expand

route add -host PUB.LI.C.IP -interface vtent2 and set a rule to allow ICMP on WAN with destination PUB.LI.C.IP. From the outside I am then able to correctly ping the machine behind OPNsense. In this context, on vtent2 OPNsense also has a CGNAT IP /32 and the VM has PUB.LI.C.IP/32 as IP and the OPNsense as far gateway.
The setup works just fine and accomplishes the goal of terminating the public IP on the VM without natting.

What's NOT working

The same setup but using CARP. I was trying to understand if it's possible to make this setup HA so I started configuring a master node. I see, once I create a CARP IP from the Web GUI, a route for the public IP on lo0 gets created. I then have to drop this route in order to re-create it on vtent2. This - apparently - somehow breaks the routing. At this point OPNsense can ping the VM on the LAN CGNAT IP and vice-versa but pinging an external address from the VM results in no answer. From tcpdump I see ICMP replies hit the WAN interface but are never routed on vtnet2.

I might be wrong but I feel like it's just a small configuration issue, just can't figure out what's messed up.

Any help would be appreciated.