Verify CARP functionality on LAN + WAN

by Jan Bachelor
  • Once you have verified that the virtual IP interfaces are set up on your OPNSense units for the LAN interfaces, you will be able to reach the current-main unit from a shared IP web interface. In this case, this is https://192.168.8.254.
  • Connect each OPNSense to the WAN1 router, which should result in each OPNSense unit getting an IP address from the DHCP server of the WAN1 router that we configured before based on its MAC addresses (no need to have static IP set on OPNSense for the WAN interfaces).
  • Open the virtual IP of your OPNSense (or log in directly to the web interface of your primary unit) and head to Interfaces → Overview and find out if your WAN interface got an IP address and the related CARP VHID group is linked to it.
CARP on WAN1
  • Let’s ensure that CARP for WAN1 has kicked in correctly. On each OPNSense unit, go to ‘Interfaces’ → Virtual IPs → Status.
  • On the main unit, CARP the status should be as ‘Master’:
CARP for LAN & WAN from the perspective of the main OPNSense unit
  • On the backup unit(s), CARP should indicate ‘Backup’:
CARP for LAN & WAN from the perspective of the backup OPNSense unit(s)

Troubleshooting CARP on WAN interface

  • If the above is different, then go to Virtual IPs → Settings and double check for this interface (i.e. WAN1) that they are:
    • In the same VHID for this interface on each OPNSense unit
    • The network address is the same on each (since they are sharing it)
    • The password matches – re-type it on each
    • All units have the same advbase number.
    • Switch to the ‘Advanced mode’ and set a higher number for ‘advskew’ on the backup units, leaving a low number on the main one (such as 50 on backup(s) versus 1 on the main).
    • Go to Virtual IPs → Status and click on the ‘Temporarily disable CARP’ and re-enable it again. Let’s see if it kicks in this time.
  • In case your CARP troubles are continuing, most likely, there is a firewall rule missing or misconfigured. On each OPNSense unit, go ‘Firewall’ → ‘Rules’ and check that it is configured according to the guide earlier.
  • Also, confirm that there are not NAT rules that could be interfering
  • Connect a computer directly to the WAN1 router. You will get a local IP on the WAN DHCP subnet such as 192.168.80.22/24 . Try pinging each OPNSense device’s WAN1 interface.
Run a ping test from a device on the WAN’s LAN subnet to the OPNsense units
  • CARP output – from each OPSense unit’s shell, run ‘ ifconfig | grep -A4 carp’ and compare the output. This is just another way beside the GUI to verify that the values match and that the advskew values are set up differently between main and backup(s).
CARP traffic on the main OPNSense unit captured directly from the unit’s shell
CARP traffic on the backup OPNSense unit captured directly from the unit’s shell

Are you facing some challenges with your set up? Ping me in the comments below and we can troubleshoot it together 🙂

This concludes our rather extensive guide on how to set up OPNSense in HA (High Availability) with one or more WAN providers. If you would like, I can also cover the set up for WAN fail-over for more providers using OPNSense’s built-in multi-gateway support.

Go back to course overview: OPNSense in HA with CARP with dual WANs

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.