CARP on Unnumbered WAN Interfaces Causing Split Brain on Failover

[alfred]

Hi everyone,

I'm working with an ISP that provides a /30 WAN link, and I'm trying to implement failover of the single public IP allocated to me between two OPNsense firewalls.

So far, I've tried several configurations:

• CARP VIP on unnumbered WAN interfaces using the standard multicast address
• CARP VIP on unnumbered WAN interfaces using a LAN unicast address
• Adding a /30 RFC1918 address to both WAN interfaces and assigning the public /30 as a CARP VIP

Each setup appears to come up cleanly at first. However, after a failover from master to standby and then back, I consistently encounter a split-brain scenario that doesn't resolve itself.

I've read through multiple threads here and elsewhere online, but haven't found a configuration that works reliably.

What's puzzling is that I've successfully set up CARP on unnumbered interfaces in the past using OPNsense 22.1.10, which worked out of the box. Notably, that version didn't have any explicit multicast configuration options. On the current version, though, I keep running into this issue regardless of what I try.

Has anyone managed to get this working reliably on recent OPNsense releases? I'd really appreciate any insights or workarounds.

Thanks!