@jcubillo
Replying to myself since a friend found this answer and might help somebody else in the future:

"""
You need to install the System Patches package: https://docs.netgate.com/pfsense/en/latest/development/system-patches.html
And apply Patch ID 7dbe76cd5756082cbd67db1b93acb606ad84996e

Then you need to reinstall the FRR package.
see https://redmine.pfsense.org/issues/11290#note-12
"""

This is from:
https://forum.netgate.com/topic/162722/frr-doesn-t-follow-carp-after-2-5-0-upgrade/8

I did exactly that and now Zebra follows the CARP VHID status.

@phurious those all look like out of state blocks.. they are all R or FA, etc. I don't see any Syn blocks.

If you renabled the firewall while it would be expected to see out of state traffic until the devices all recreate sessions with syn and new states are created.

@pille99
hello again.
what i completly forgot to mention. the external IP is bound to a MAC. so, the esx has the interfaces with MAC configured and working. as i have seen, the mac address can only be entered at the interface page.

@dutch317 I ran into this, looks like pfsense writes the config file incorrectly?

edit /var/etc/miniupnpd.conf file, look for the listening_ip line, on my install there were 2 lines, one line per interface. This is incorrect.

The format is one listening_ip= line and then the interfaces separated by a space. I changed my file to have this,

listening_ip=igb1 igb3

then I went into the gui for miniupnp service and restarted. The interface index not matching errors went away. Hope this helps.

Hi @andyp, did you resolve this?

I also have this issue with a Vodafone broadband line - that assign a single static IP and routed IPs but DHCP does not deliver the static.

Thanks.

@milenkoc Thank you very much

RESOLVED:

Answering my own thread to give the solution for other people looking into this problem in the future.

Just for the reference this is all for the pfSense plus 21.05.2-RELEASE.

For some reason this will work if you change the Firewall filtering to be done at the VTI interface level instead of at the enc0 interface level. You can change this if you go to the VPN -> IPSec select your Routed VTI phase 2 connection settings and got to the Advanced and change the "IPsec Filter Mode" setting to "Filter IPsec VT on assigned interfaces, block all tunnel mode traffic".

Note: Of course with this setting you will have to go to the Firewall -> Rules and add the necessary ruled under your VTI interface tab (that just showed up instead of the IPSec tab that was there by default when filtering was being done at the enc0 interface level).

Note2: this will only work if you have only Routed IPSec connections and will break all your policy based IPSec connections.

@viragomann said in WAN Failover on packet loss:

What pfSense indicates as member down depends on the configured threshold settings.

If you're not happy with the preset values go to System > Routing > Gateways, edit the gateway settings, display the advanced options and change it to fit your needs.

Sweet. Thanks. Missed that knob.

@johnpoz Thank you. That was it.

@popquiz so with your any rule on lan.. There should be no reason you should not be able to talk to anything on opt2 no matter what the IP is.

Your saying from device on lan you can ping opt2 pfsense address 204.150.150.145?

But you can not ping a device on this network, say .146

Can pfsense itself ping this .146 address?

If so I would suggest a sniff - from your lan device get a ping going to the .146 address, do you see pfsense sending that out on opt2?

You can do a simple packet capture under the diagnostic menu, on the opt2 interface. If you see traffic going out the opt2 interface.. But no response - that points to this opt2 device not pointing to pfsense .145 address as its gateway. Or it is running a firewall.

@lfred yeah in the data sheet they use the term "Layer 2+/Lite L3 features"

If you would of just used it as L2 and done routing on pfsense between your vlans/networks you would of had far less trouble..

Routing at the switch level is almost never needed in any sort of home setup.. Unless what you have doing your routing is not really capable of routing at wirespeed.. And you really want some devices on their own vlans. But your really going to have way less ability to actually firewall between these segments. Even with a fully managed L3 switch, I have one the ability to limit traffic between these vlans is difficult and convoluted.

If you want to try vlans again - there are many entry level smart switches that can do vlans in the $40 price range.. which prob way less than that netgear you had.

It seems like this problem is still with pfsense. Any improvements on this issue?

@atari
It just seems to be disabled.

Simply point the mouse over the check mark next to the trash at the right side and click to re-enable it.

@kasproso
https://docs.netgate.com/pfsense/en/latest/nat/1-1.html#nat

NAT 1:1 does network address translation on both, inbound and outbound traffic.
The interface you want apply this might be WAN rather than an internal interface, naturally.