@@ -59,7 +59,24 @@ More information about CARP can be found in our :doc:`high availability </manual
5959
6060.. Note ::
6161 CARP uses IP protocol number 112 (0x70), to detect priority it will send out advertisements using
62- :code: `224.0.0.18 ` or :code: `FF02::12 `.
62+ :code: `224.0.0.18 ` or :code: `FF02::12 `. As of OPNsense 24.7 it's also possible to use unicast when infrastructure
63+ in between filters multicast packets.
64+
65+ .. Note ::
66+ The source address CARP packets use can not be influenced from the firewall (usually it's the first address on the interface),
67+ when there's some filtering performed between both firewalls (e.g. a cloud portal), make sure to allow carp traffic
68+ from the actual sending address. You can use the packet capture when in doubt which address it is using.
69+
70+ .. Tip ::
71+ Although we generally prefer multicast packets (default) for advertisements, as of OPNsense 24.7 unicast may also
72+ be chosen. Just make sure to enter a non carp target address on both machines.
73+
74+
75+ .. Tip ::
76+ If you're debugging a CARP setup, consider raising the CARP system logging verbosity. This can be done by
77+ adding the :code: `net.inet.carp.log ` with value :code: `2 ` tunable in System -> Settings -> Tunables.
78+ The logs can be seen in System -> Log Files -> General (kernel process) or by using :code: `dmesg `.
79+
6380
6481**Combining CARP virtual IP types with IP aliases **
6582
@@ -83,11 +100,6 @@ setting the VHID field to the same number as the initial CARP VIP VHID:
83100 linearly in noise per virtual IP. Since the primary purpose of CARP is to react to link state changes, a single
84101 VHID acting for a single interface is the most efficient way to use the protocol.
85102
86- .. Tip ::
87- If you're debugging a CARP setup, consider raising the CARP system logging verbosity. This can be done by
88- adding the :code: `net.inet.carp.log ` with value :code: `2 ` tunable in System -> Settings -> Tunables.
89- The logs can be seen in System -> Log Files -> General (kernel process) or by using :code: `dmesg `.
90-
91103..................
92104Proxy ARP
93105..................
@@ -120,11 +132,17 @@ Interface The interface this address belongs to.
120132Type Either Network or Single address, only has affect when creating NAT rules,
121133 where **Proxy ARP ** and **Other ** combined with **Expansion ** will generate
122134 separate addresses for all items in the netmask.
123- Expansion When applicable, expand netmask to separate addresses.
124135Address The address and netmask to assign, when assigning multiple addresses in the
125136 same network, the masks usually should match.
137+ Deny service binding Assigning services to the virtual IP's interface will automatically include
138+ this address. Check to prevent binding to this address instead.
139+ Peer (ipv4, ipv6) (OPNsense version >= 24.7) CARP Destination address to use when announcing,
140+ defaults to multicast, but can be configured as unicast address when multicast
141+ can not be used (for example with cloud providers)
126142Gateway Only applies to **IP Alias ** types, usually this field should be empty, except
127143 some tunnel devices (ppp/pppoe/tun) expect the gateway address to be defined.
144+ Disable Expansion Disable expansion of this entry into IPs on NAT lists
145+ (e.g. 192.168.1.0/24 expands to 256 entries).
128146Virtual IP Password The password used to encrypt CARP packets over the network, should be the
129147 same on preferred master and backup node(s).
130148VHID Group The Virtual Host ID. This is a unique number that is used to
0 commit comments