[Solved] arp: xx:xx:xx:68:dd:f0 is using my IP address

[klingon888]

FW1-        xx:xx:xx:db:9b:4c
FW2-        xx:xx:xx:68:dd:f0
VLAN10-  192.168.10.1

I'm on v24.1.10_3 and set up CARP following Opnsense's docs and it seems to be working with auto fail-over.

BUT I keep getting this Notice in FW1 logs complaining about FW2 using its IP address:

Code Select Expand

<3>arp: xx:xx:xx:68:dd:f0 is using my IP address 192.168.10.1 on vlan0.10!

Due to this, my VLAN0.10 keeps getting disconnected. This goes away when I poweroff my FW2. How do I fix this? Thanks.

[Patrick M. Hausen]

Please post the interface configuration of both firewalls for that VLAN and the configuration of that CARP address.

[klingon888]

Please post the interface configuration of both firewalls for that VLAN and the configuration of that CARP address.

New to this... is there a specific shell command to do this or will screen shots do?

[Patrick M. Hausen]

Screen shots, please.

[klingon888]

The site wont allow me to paste screenshots, so I'm attaching .pdf of the screens.

[Patrick M. Hausen]

You can add images as attachments - I don't get why people have problems with this.

[Patrick M. Hausen]

The site wont allow me to paste screenshots, so I'm attaching .pdf of the screens.

You cannot have the same IP address on both firewalls in that VLAN 10 ...

[klingon888]

The site wont allow me to paste screenshots, so I'm attaching .pdf of the screens.

You cannot have the same IP address on both firewalls in that VLAN 10 ...

OK. I've attached jpeg's as attachments. Is this what you mean, set FW1 Static IP 192.168.10.1 and FW2 Static IP 192.168.10.2? Thanks.

[Patrick M. Hausen]

Yes, that's what I meant. What are you trying to achieve by giving both firewalls the same one? If it's failover, that's what CARP is for.

For each interface that shall provide a failover service you need

- a static address for FW 1
- a static address for FW 2
- a CARP address

The CARP address is what your client systems will use.

HTH,
Patrick

[klingon888]

Thanks for straightening me out  :D Guess I thought FW2 should be a replicate of FW1 with the exception of the CARP related config. Still learning.....

BTW, I guess some people like me have problems with "pasting" screenshots is prob because most sites just allow you to copy and paste screenshots. Whereas this site requires you to first save the screenshots as a file and then "pasting" them as file attachments.

[klingon888]

Another Q.. what about my Wireguard setup?

- Do I need to set a different "Tunnel Address"? My FW1 is 192.168.8.1/24. Do I need to set 192.168.8.2/24 for FW2?
- Do I set the "Depend On Carp" field to 192.168.1.1 which is my VIP LAN address?

[Patrick M. Hausen]

The addresses inside the tunnel should be the same as should be the AllowedIPs setting(s) for the peer(s). The endpoint address that your other side connects to should be a CARP address (on WAN, probably?) And that's the CARP VIP to depend on.