CARP WAN VIP not reachable

Started by liceo, December 08, 2023, 04:57:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 08, 2023, 04:57:21 PM
Hi all

I setup again a new HA cluster running on two Hyper-V boxes. I did the HA setup same as my other installations but this time i cannot reach the CARP VIP from the WAN side. It's a pretty standard setup at follows:


  • Two ONPSense with LAN and WAN Interfaces
  • MAC spoofing is enabled
  • Added a CARP VIP on both interfaces
  • Setup sync between HA pairs
  • Failover is working tested from the LAN
  • Ping to all Interfaces including the VIPs possible from LAN

What does NOT work now:



  • I Can reach the real WAN IPs from the WAN transfer network but NOT the VIP
  • I cannot use the WAN VIP in the outbound NAT rule > Internet is not reachable anymore

I did recreate all the VIPs, recreate the outbound NAT rule, rebooted several times, checked the Firewall logs,  checked the TCPDump (not one package to the WAN VIP..).

Any ideas??

Many thanks!
December 09, 2023, 07:38:15 PM #1
I have exactly the same problem. I have to give the physical interfaces the required IP address, then the OPNsense works. Of course I no longer have a backup for that.

I can't see any traffic on the VIP's anywhere. How can you narrow down this error?
December 09, 2023, 08:27:37 PM #2 Last Edit: December 09, 2023, 09:35:17 PM by liceo
[mention]danbet [/mention] Do you also run OPNsense on Hyper-V?
December 10, 2023, 09:28:30 AM #3
I was able to solve it! I had to recreate the virtual switch on Hyper-V servers without SR-IOV enabled.
December 11, 2023, 10:42:10 AM #4
Quote from: liceo on December 10, 2023, 09:28:30 AM
I was able to solve it! I had to recreate the virtual switch on Hyper-V servers without SR-IOV enabled.

No, with VMware ESXi.
December 11, 2023, 11:02:49 AM #5
Ah, ok. But may you also try disable SR-IOV..
December 11, 2023, 03:39:13 PM #6
I have no such attitude. I can only choose SR-IOV passthrough as the network interface, but I chose E1000.
March 04, 2024, 10:04:35 AM #7
I'm seeing something similar on the 'inside' VIP but only for a Sonoff door sensor. If I configure the Sonoff unit to use the OPNSense physical IP of one of the units the Sonoff sensor starts working. I'm running OPNSense on Proxmox. What's really weird is only the Sonoff units are affected. I'll keep digging.
April 22, 2024, 09:08:59 AM #8
I find the solution for VMware ESXi: I had to enable the promiscuous mode for all the interfaces. For this I created port groups to use only for the VM's with OPNsense.
Print
Go Up Pages1
User actions