# Possible Carp config issue?



## dipdill (Jun 21, 2017)

So I have 2 systems configured as gateways with natd, ipfw and both running carp for redundnacy.  I have em0 as my internal network and em1 as public.

`ifconfig` on the one in backup shows:


```
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
        ether 52:54:00:e0:db:0e
        inet 192.168.1.114 netmask 0xffffff00 broadcast 192.168.1.255
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 vhid 9
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        carp: BACKUP vhid 9 advbase 1 advskew 150

em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
        ether 52:54:00:73:f9:58
        inet 135.xxx.yyy.zzz netmask 0xffffffe0 broadcast 135.158.245.95
        inet 135.aaa.bbb.ccc netmask 0xffffffe0 broadcast 135.158.245.95 vhid 10
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        carp: BACKUP vhid 10 advbase 1 advskew 150
```

My default route is 135.mmm.nnn.ooo. 

When this system is in Backup on the carp status, I can not do anything thru the em1 interface from the system.  I can still ssh into the physical IP on em1 from the outside, but once on the system i can not get back out.  I have tried to traceroute, ping, curl, ftp, ssh, nothing goes thru it.  Once I promote it to master, I get access thru the port again.

Has anyone else had this problem?


----------



## SirDice (Jun 21, 2017)

I can't see anything obviously wrong with your configuration. We have something similar and I can access the default gateway even if the interface is in BACKUP state. Perhaps a firewall is blocking traffic from all addresses except the CARP address?


----------



## dipdill (Jun 21, 2017)

Firewall issue... 

`00050 divert 8668 ip4 from any to any via 135.aaa.bbb.ccc`

Is added from the natd.  So all traffic is being diverted to the down carp interface, or trying to send into the carp on the public side of the other system.  
Either way, adding `ipfw add 40 allow ip from 135.xxx.yyy.zzz to any` fixed the issue.

Thanks for leading me in that direction.


----------

