opnsense proxyarp and Neighbors

MohsenB · July 09, 2025, 02:46:32 PM

I setup opnsense HA with 2 servers, with proxyarp interfaces, but i have problem with proxyarp because both of opensenses advertise ARP from their interfaces and i had ARP confilect in my network and TTL expired in this problem(because some times master node found slave node mac address instead real mac address of IP),I tried resolve this problem with "Neighbors" and set the mac address of IP addresses statically.
but i found another problem ,in HA sync there isn`t any option for, master node sync "Neighbors" configs to backup node.
these are my questions:
1- can i use HA with proxyarp interface without set arp statically?
2- if i should use static arp, how can i sync "Neighbors" master and slave nodes?

alveston · July 09, 2025, 04:48:48 PM

For the 1st question: Can you use HA with Proxy ARP without static ARP?
Technically yes, but it's risky. In most cases, Proxy ARP with HA is unstable unless you implement some way of ensuring only the MASTER responds to ARP.

alveston · July 09, 2025, 04:50:30 PM

Quote from: alveston on July 09, 2025, 04:48:48 PMFor the 1st question: Can you use HA with Escape Road ARP without static ARP?
Technically yes, but it's risky. In most cases, Proxy ARP with HA is unstable unless you implement some way of ensuring only the MASTER responds to ARP.

Syncing static ARP ("Neighbors") configs?

As others have done, you can move away from Proxy ARP entirely and use CARP.

MohsenB · July 12, 2025, 01:30:09 PM

Quote from: alveston on July 09, 2025, 04:48:48 PMFor the 1st question: Can you use HA with Proxy ARP without static ARP?
Technically yes, but it's risky. In most cases, Proxy ARP with HA is unstable unless you implement some way of ensuring only the MASTER responds to ARP.

Yes, i have this problem , the master node ask mac address of a ip address that is in proxyarp subnet , the back up node answer it Owen mac and we have ttl expire , how can resolve this problem?

MohsenB · July 12, 2025, 01:31:02 PM

Quote from: alveston on July 09, 2025, 04:50:30 PM
Quote from: alveston on July 09, 2025, 04:48:48 PMFor the 1st question: Can you use HA with Escape Road ARP without static ARP?
Technically yes, but it's risky. In most cases, Proxy ARP with HA is unstable unless you implement some way of ensuring only the MASTER responds to ARP.

Syncing static ARP ("Neighbors") configs?

As others have done, you can move away from Proxy ARP entirely and use CARP.

i`m using CARP but i have problem

Patrick M. Hausen · July 12, 2025, 01:59:42 PM

Quote from: MohsenB on July 12, 2025, 01:31:02 PMi`m using CARP but i have problem

So what is the problem, exactly?

MohsenB · July 12, 2025, 03:31:13 PM

Quote from: Patrick M. Hausen on July 12, 2025, 01:59:42 PM
Quote from: MohsenB on July 12, 2025, 01:31:02 PMi`m using CARP but i have problem

So what is the problem, exactly?

i using the carp and proxyarp in same time on a interface but the backup node advertise mac address of ip addresses ,assigned to servers.

Can i disable proxyarp on backup node and enable it when it`s become master automatically ?
or
sync "Neighbors" between master and backup node?

Monviech (Cedrik) · July 12, 2025, 03:45:34 PM

Use Carp and Virtual IP address and put these virtual ip addresses in the same vhid group as Carp and they will move with master and backup.

MohsenB · July 12, 2025, 04:11:51 PM

Quote from: Monviech (Cedrik) on July 12, 2025, 03:45:34 PMUse Carp and Virtual IP address and put these virtual ip addresses in the same vhid group as Carp and they will move with master and backup.

i did this , but i have the problem yet.
My structure is same as below:

OPNSense Master:
LAN IP:192.168.0.2/24
LAN Proxyarp:192.168.0.0/24
LAN CARP VIP:192.168.0.1/24
vhid group:1
advskew:0
switch port:1(PrivateVLAN Promiscuous VLAN ID : 100)
--------------------------
OPNSense Backup:
LAN IP:192.168.0.3/24
LAN Proxyarp:192.168.0.0/24
LAN CARP VIP:192.168.0.1/24
vhid group:1
advskew:100
switch port:2(PrivateVLAN Promiscuous VLAN ID : 100)
--------------------------
Server
IP:192.168.0.100/24
Gateway:192.168.0.1/24
switch port:24(PrivateVLAN Isolated VLAN ID : 100)

in above structure when a client wants to access "Server" through "OPNSense Master" , the "OPNsense Backup" send owned mac to "OPNSense Master" instead "Server" , and "OPNSense Master" can`t find the real server.
i resolve this problem with "Neighbors" and set "Server" mac address statically , but unfortunately , OPNSense doesn't sync "Neighbors" between nodes in HA.
i want to know ,can i resolve this problem without "Neighbors" ? or if i must do it by "Neighbors" how can i sync the nodes "Neighbors" configuration?

viragomann · July 13, 2025, 08:58:49 PM

I'm wondering, what's the sense of Proxy ARP in your setup.

Quote from: MohsenB on July 12, 2025, 04:11:51 PMin above structure when a client wants to access "Server" through "OPNSense Master"

From the LAN or from another network segment?

opnsense proxyarp and Neighbors

MohsenB

July 09, 2025, 02:46:32 PM Last Edit: July 09, 2025, 02:49:11 PM by MohsenB

alveston

July 09, 2025, 04:48:48 PM #1

alveston

July 09, 2025, 04:50:30 PM #2

MohsenB

July 12, 2025, 01:30:09 PM #3

MohsenB

July 12, 2025, 01:31:02 PM #4

Patrick M. Hausen

July 12, 2025, 01:59:42 PM #5

MohsenB

July 12, 2025, 03:31:13 PM #6

Monviech (Cedrik)

July 12, 2025, 03:45:34 PM #7

MohsenB

July 12, 2025, 04:11:51 PM #8 Last Edit: July 12, 2025, 05:26:16 PM by MohsenB

viragomann

July 13, 2025, 08:58:49 PM #9