[openstack][neutron][ovn]Cannot ping VIP without disable port security
Hello, I am setting up HA OPNsense on OpenStack, and here are the steps I followed. I successfully configured CARP between two firewall instances, but from a PC in the same subnet as the VIP, I cannot ping the VIP address. When I capture traffic on the master firewall, I can see the ARP request and reply, but on my PC I do not see any reply packets. I have also configured allowed_address_pairs with the VIP address on the member ports, but the VIP only responds when I disable port security. Additionally, I created a port with the VIP address and assigned a floating IP to it. However, it does not work unless I *disable the port admin state*. When I repeatedly refresh the browser (press F5 many times), the traffic is redirected between the two firewall members, which means the connection does not remain persistent on the CARP master. Is there any additional configuration required in OpenStack (Neutron / OVN) to properly support CARP VIPs without disabling port security? Thank you for your assistance. Nguyen Huu Khoi
We did a PCAP of a similar situation (A10 Networks load balancer VIPs) and having the VIP as an allowed address was only one part of the equation; your configuration may vary, but we found that the port also needed the allowed-address pairs of the client that it’s talking to, because it passes that traffic on; i.e. the VIP receives the traffic, and the back end doesn’t receive from the VIP, but from the client IP. In this way, the back end responds to the client (the A10 is the network gateway, which NAT’s out through the VIP for a complete return path. Where these VIPs were for public networks (i.e. a website load balancer for a public API or similar) the allowed_address_pair had to be 0.0.0.0/0 if we were permitting any address on the internet to talk to the back end through the VIP. This was the alternative to completely disabling port security. This might be similar to what you’re experiencing. Kind Regards, Joel McLean Cyber Security and Product Development Manager Australia’s First Tier IV Data Centre https://www.micron21.com/ tel:1300%20769%20972 tel:03%209751%207618 tel:0407%20888%20429 mailto:joel.mclean@micron21.com http://www.micron21.com/ Follow us on https://twitter.com/micron21 and https://m21status.com/ for important service and system updates. This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer. From: Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com> Sent: Tuesday, 10 March 2026 12:03 PM To: OpenStack Discuss <openstack-discuss@lists.openstack.org> Subject: [openstack][neutron][ovn]Cannot ping VIP without disable port security Hello, I am setting up HA OPNsense on OpenStack, and here are the steps I followed. I successfully configured CARP between two firewall instances, but from a PC in the same subnet as the VIP, I cannot ping the VIP address. When I capture traffic on the master firewall, I can see the ARP request and reply, but on my PC I do not see any reply packets. I have also configured allowed_address_pairs with the VIP address on the member ports, but the VIP only responds when I disable port security. Additionally, I created a port with the VIP address and assigned a floating IP to it. However, it does not work unless I disable the port admin state. When I repeatedly refresh the browser (press F5 many times), the traffic is redirected between the two firewall members, which means the connection does not remain persistent on the CARP master. Is there any additional configuration required in OpenStack (Neutron / OVN) to properly support CARP VIPs without disabling port security? Thank you for your assistance. Nguyen Huu Khoi
Hello. Would you tell me if u r using vvrp or carp? It was set up with vrrp and allowed_address_pair then it worked but it seems wont with carp. Nguyen Huu Khoi On Tue, Mar 10, 2026 at 8:24 AM Joel McLean <joel.mclean@micron21.com> wrote:
We did a PCAP of a similar situation (A10 Networks load balancer VIPs) and having the VIP as an allowed address was only one part of the equation; your configuration may vary, but we found that the port also needed the allowed-address pairs of the client that it’s talking to, because it passes that traffic on; i.e. the VIP receives the traffic, and the back end doesn’t receive from the VIP, but from the client IP. In this way, the back end responds to the client (the A10 is the network gateway, which NAT’s out through the VIP for a complete return path.
Where these VIPs were for public networks (i.e. a website load balancer for a public API or similar) the allowed_address_pair had to be 0.0.0.0/0 if we were permitting any address on the internet to talk to the back end through the VIP. This was the alternative to completely disabling port security.
This might be similar to what you’re experiencing.
Kind Regards,
Joel McLean Cyber Security and Product Development Manager Australia’s First Tier IV Data Centre https://www.micron21.com/
tel:1300%20769%20972 tel:03%209751%207618 tel:0407%20888%20429 mailto:joel.mclean@micron21.com
Follow us on https://twitter.com/micron21 and https://m21status.com/ for important service and system updates.
This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.
From: Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com> Sent: Tuesday, 10 March 2026 12:03 PM To: OpenStack Discuss <openstack-discuss@lists.openstack.org> Subject: [openstack][neutron][ovn]Cannot ping VIP without disable port security
Hello,
I am setting up HA OPNsense on OpenStack, and here are the steps I followed.
I successfully configured CARP between two firewall instances, but from a PC in the same subnet as the VIP, I cannot ping the VIP address. When I capture traffic on the master firewall, I can see the ARP request and reply, but on my PC I do not see any reply packets.
I have also configured allowed_address_pairs with the VIP address on the member ports, but the VIP only responds when I disable port security.
Additionally, I created a port with the VIP address and assigned a floating IP to it. However, it does not work unless I disable the port admin state. When I repeatedly refresh the browser (press F5 many times), the traffic is redirected between the two firewall members, which means the connection does not remain persistent on the CARP master.
Is there any additional configuration required in OpenStack (Neutron / OVN) to properly support CARP VIPs without disabling port security?
Thank you for your assistance.
Nguyen Huu Khoi
Hi all, In case the fail-over solution uses virtual MAC addresses, this should be included in Allowed Address Pairs also; not just the IP addresses. Cheers, Kees On 10/03/2026 03:43, Nguyễn Hữu Khôi wrote:
Hello. Would you tell me if u r using vvrp or carp? It was set up with vrrp and allowed_address_pair then it worked but it seems wont with carp.
Hello, I also add virtual MAC addresses and it still not working, my PC don't see arp reply. It looks like neutron dropped it. my vip used geneve networked Nguyen Huu Khoi On Tue, Mar 10, 2026 at 2:30 PM Kees Meijs | Nefos <keesm@nefos.com> wrote:
Hi all,
In case the fail-over solution uses virtual MAC addresses, this should be included in Allowed Address Pairs also; not just the IP addresses.
Cheers, Kees
On 10/03/2026 03:43, Nguyễn Hữu Khôi wrote:
Hello. Would you tell me if u r using vvrp or carp? It was set up with vrrp and allowed_address_pair then it worked but it seems wont with carp.
I see this wont support virtual mac addresses in openstack 2025.1 but here https://docs.openstack.org/releasenotes/neutron/unreleased.html. Nguyen Huu Khoi On Tue, Mar 10, 2026 at 3:47 PM Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com> wrote:
Hello,
I also add virtual MAC addresses and it still not working, my PC don't see arp reply. It looks like neutron dropped it. my vip used geneve networked
Nguyen Huu Khoi
On Tue, Mar 10, 2026 at 2:30 PM Kees Meijs | Nefos <keesm@nefos.com> wrote:
Hi all,
In case the fail-over solution uses virtual MAC addresses, this should be included in Allowed Address Pairs also; not just the IP addresses.
Cheers, Kees
On 10/03/2026 03:43, Nguyễn Hữu Khôi wrote:
Hello. Would you tell me if u r using vvrp or carp? It was set up with vrrp and allowed_address_pair then it worked but it seems wont with carp.
Hi, Maybe try creating a packet trace c.q. packet dump on both of your Compute Instances, and import those in Wireshark (or alike) for inspection? At least it would give you a concrete set of parameters regarding MAC and IP addresses, protocols and port numbers. Maybe there's even some multicasting at play also (don't know about CARP, but at least VRRP does in a default configuration). Cheers, Kees On 10/03/2026 09:47, Nguyễn Hữu Khôi wrote:
I also add virtual MAC addresses and it still not working, my PC don't see arp reply. It looks like neutron dropped it. my vip used geneve networked
Hii. I see that in the latest neutron release note: - ML2/OVN now supports allowed address pairs with virtual MAC addresses. This functionality requires OVN v26.03, that includes the support for VRRPv3 protocol. In systems with older OVN versions, the port security for this specific allowed address pair will return an invalid syntax error and the port won’t accept traffic for the IP+MAC tuple, as it was happening before Many thanks for your help. :) Nguyen Huu Khoi On Tue, Mar 10, 2026 at 4:28 PM Kees Meijs | Nefos <keesm@nefos.com> wrote:
Hi,
Maybe try creating a packet trace c.q. packet dump on both of your Compute Instances, and import those in Wireshark (or alike) for inspection? At least it would give you a concrete set of parameters regarding MAC and IP addresses, protocols and port numbers. Maybe there's even some multicasting at play also (don't know about CARP, but at least VRRP does in a default configuration).
Cheers, Kees
On 10/03/2026 09:47, Nguyễn Hữu Khôi wrote:
I also add virtual MAC addresses and it still not working, my PC don't see arp reply. It looks like neutron dropped it. my vip used geneve networked
participants (3)
-
Joel McLean
-
Kees Meijs | Nefos
-
Nguyễn Hữu Khôi