opnsense 24.1.1 ha carp works, but a one interface of the backup node is master

[Dataaja95]

hi all
I just configured ha between two opsenses, it works really well except for one interface, this interface is a vlan, in both firewalls the interface numbering is the same opt3 and carp traffic is allowed in the firewall rules according to the opsense documentation, when I turn off the traffic of the other interfaces of the main firewall goes to the backup wall, but the traffic of this interface no, when I start the main firewall, the traffic returns to normal, but the status of the interface is the backup firewall is still master, it doesn't change anywhere
Because I don't use it
no static public ip addresses, I have had to solve the situation with a script that can be installed in opnsense, which turns off the wan port of the backup firewall, could this cause problems, on both firewalls the traffic on the lan interface works correctly
in phase., opsense logs say this

2024-02-19T16:07:26   Error   opnsense   /usr/local/etc/rc.syshook.d/carp/10-wancarp: enable interface 'wan' due CARP event 'MASTER'   
2024-02-19T16:07:26   Notice   kernel   <6>carp: 2@vlan02: BACKUP -> MASTER (master timed out)   

Here is the script I used, I thank everyone in advance for their help and the developers of opsense for being great
of the firewall system
https://gist.github.com/spali/2da4f23e488219504b2ada12ac59a7dc

[lshantz]

We may have a similar problem. I was hoping an admin would jump in and help out.

We have it set up as documented, but trying to use a single WAN static IP. I think this is what you are doing and we have found that the script that is out there takes the WAN interface down, but then it disappears. When bringing the primary FW back up, since WAN no longer exists, it just grabs the next interface in line. So obviously things have changed. I found that even after the fail over and returning it back, nothing worked. Even reboot. What I discovered was I had to go to WAn interface save and apply, and the gateway. Nothing had changed, but doing this caused it to start working again. So something gets changed in the background that does not show in the GUI.
Is it possible to get the CARP stuff updated so we can use it? My son says if I go to a FW version that supports this, I'm on my own, so need Opnsense to work.

[lshantz]

Darn, I can't edit the above. I forgot to add the link to the person that has worked on this issue. He had it working fine in 23.7, but things have since changed. A user seems to have a work around, but I have not tested yet.
https://gist.github.com/spali/2da4f23e488219504b2ada12ac59a7dc

[Dataaja95]

We may have a similar problem. I was hoping an admin would jump in and help out.

We have it set up as documented, but trying to use a single WAN static IP. I think this is what you are doing and we have found that the script that is out there takes the WAN interface down, but then it disappears. When bringing the primary FW back up, since WAN no longer exists, it just grabs the next interface in line. So obviously things have changed. I found that even after the fail over and returning it back, nothing worked. Even reboot. What I discovered was I had to go to WAn interface save and apply, and the gateway. Nothing had changed, but doing this caused it to start working again. So something gets changed in the background that does not show in the GUI.
Is it possible to get the CARP stuff updated so we can use it? My son says if I go to a FW version that supports this, I'm on my own, so need Opnsense to work.

I have a backup firewall
wan connection and lan work correctly, only the third interface which is vlan does not work as expected, but is master in the backup firewall even though it should be backup, so I don't have the other status at any point. Do you know who maintains this script, could you report it directly to them

[mimugmail]

In 80% of all scenarios where both firewalls are master on just one interface it's a missing VLAN in the switch. The 20% rest is igmp snooping on the switch which doesn't forward the multicast packets to the destination.

It's one of both ...

[Dataaja95]

In 80% of all scenarios where both firewalls are master on just one interface it's a missing VLAN in the switch. The 20% rest is igmp snooping on the switch which doesn't forward the multicast packets to the destination.

It's one of both ...

Thanks for this, the solution to the problem was very simple, I added vlan 20 to the switch port where the backup firewall
lan connection is and now everything works perfectly

2024-02-23T17:16:05   Notice   opnsense   /usr/local/etc/rc.syshook.d/carp/20-openvpn: Carp cluster member "virtuaalikoneet vip (192.168.3.1) (2@vlan02)" has resumed the state "BACKUP" for vhid 2   
2024-02-23T17:16:05   Notice   kernel   <6>carp: 2@vlan02: MASTER -> BACKUP (more frequent advertisement received)

[lshantz]

I wondered about that!! Dang.. I hope that does it. I'm using a cheap 4 port switch right now, but I can easily create a VLAN on my big managed switch and give it a try. I've got other fires right now, but anxious to try that.

Thanks!

[lshantz]

I'm trying to wrap my brain around the above information. How would creating a VLAN on a switch be any different than a simple 4 port switch. Would you mind explaining a little more how to accomplish this? So for instance, I have a physical cable from the primary and secondary, or master slave connected to the switch or vlan. (they can't be both master as you stated) Now you have the cable modem cable to this switch or VLAN. How is it any different? 

[mimugmail]

A stupid switch can still drop multicast packets or handle them different (or intelligent).
Thats why you need to disable igmp snooping to get this done, maybe your stupid switch does this out of the box.

You only can be save to interconnect both OPN devices in a maintenance window and check back and forth.

[lshantz]

Maybe  I'm confusing LAN vs WAN side. I am specifically talking about the WAN side. I'm sorry I was not more clear. The LAN side works fine.