Replying to myself…
After having thought a bit more on how I wish my design to function, I realized that I need vIP (CARP) on each interface. That's fine.
Quite normal : internet client wants to talk to IP #1, it's not expecting a response from IP #2.
So, design v2 :
vIP#1 --> pfsense #1, ISP#1 master
vIP#2 --> pfsense #1, ISP#2 master
vIP#3 --> pfsense #2, ISP#1 master
vIP#4 --> pfsense #2, ISP#2 master
(the other box being the passive of each master vice-versa)
inbound nat is (sample):
vIP#1 TCP 80 (dst) --> server #1
vIP#2 TCP 80 (dst) --> server #1
vIP#3 TCP 80 (dst) --> server #2
vIP#4 TCP 80 (dst) --> server #2
outbound nat is (following same sample):
server #1 TCP 80 (src) --> WAN NIC #1 --> vIP#1
server #1 TCP 80 (src) --> WAN NIC #2 --> vIP#2
server #2 TCP 80 (src) --> WAN NIC #1 --> vIP#3
server #2 TCP 80 (src) --> WAN NIC #2 --> vIP#4
this being the same rules on both boxes
So, to give a practical example :
client wants to browse to vIP#3
reaches pfsense box #2 on WAN#1
translated to server #2
server #2 replies through pfsense #1 (master of LAN vIP)
server #2's reply is through WAN NIC#1 as it's a TCP state already set in the state table (am I right here ?)
outbound NAT as vIP#3 since it's server #2 and it is on WAN NIC#1
However I need to add a reverse rule on the LAN interface, allowing traffic originating from the server on the TCP 80 as src.
I need to test this further later on when I have enough vIP available on my secondary ISP (and there is another problem there, as they use static ARP entries in their systems... But that's another story), as currently I test on my primary ISP which is the default WAN for my pfsense firewalls. I will reply back here once it is confirmed as working on both WANs.
In the meantime, a question :
is this normal that the reverse rule is needed to be set up in the firewalls ? pfsync does not sync that info on the other nodes ?
Guillaume