Hello,

I am setting up HA OPNsense on OpenStack, and here are the steps I followed.

I successfully configured CARP between two firewall instances, but from a PC in the same subnet as the VIP, I cannot ping the VIP address. When I capture traffic on the master firewall, I can see the ARP request and reply, but on my PC I do not see any reply packets.

I have also configured allowed_address_pairs with the VIP address on the member ports, but the VIP only responds when I disable port security.

Additionally, I created a port with the VIP address and assigned a floating IP to it. However, it does not work unless I disable the port admin state. When I repeatedly refresh the browser (press F5 many times), the traffic is redirected between the two firewall members, which means the connection does not remain persistent on the CARP master.

Is there any additional configuration required in OpenStack (Neutron / OVN) to properly support CARP VIPs without disabling port security?

Thank you for your assistance.


Nguyen Huu Khoi