I use OpenVPN effectively, but I need to move the head system to a place where there a fixed IP is unavailable and DDNS is ineffective because of ISP ip changes, sometimes several within a very should period of time.

So I am looking at TailScale.

In 4 of my 5 locations I am using HA / CARP. With openVPN on pfSense there is provision for handling openVPN shutdown and restart when the backup server has to start and shudown.

I don't see any configuration for this in TailScale. Is there one that I am missing? If not will it be added?

Thanks,

Roy Eberhardt

My question is how can I route from one office to another office's backup firewall's LAN interface?

One thought has been to add a static route to the full internal IP address range (10.0.0.0/8) to the LAN CARP IP - and then perhaps have an OSPF filter to prevent that route from propagating - but I'm a little unsure of how to configure that.

Any other suggestions?
FWIW - I'm not syncing state because the firewalls are not identical hardware (at least at the moment)

Setup
2 pf nodes sharing a /29 public subnet. with carp.
Carp works as expected.
An internal host running a web server on port 80 exists on the lan interface.
Firewall rules are correctly adjusted to allow incoming traffic to port 80.
(to the internal ip)
No related firewall rules are used on nat.
If an ip is configured as carp, then port forwading 80 on this ip to internal port 80, doesn't work.
Making this an alias to the same wan interface works.

Downgrading to 25.07 makes carp nat work too.

I have a firewall (FW1) with the following interfaces:

• WAN
• LAN0
• LAN1
• LAN2
• OpenVPN1
• LAN3
• OpenVPN2
• pfSync

No I want to enable HA Features for a new firewall (FW2)

For firewall FW2 I can prepare all "real" interfaces beeing in the same order, but how to deal with virtual OpenVPN1 & 2 interfaces before activate XMLPRC Sync? I guess they will generated on FW2 after start XMLPRC Sync, isn't it?

How can I ensure that the interface orders are the same when I want do enable HA features years after starting with FW1

Kind regards

TL;DR: state and XMLRPC replication works great... then some, but not all - states disappear when the secondary takes over. When the primary takes over again, if not rebooted, the missing states are re-replicated and any hung connections resume. No apparent suspicious entries in the system log.

What works: in normal CARP pair operation, states are replicated - by inspection of the state table - about same number of by watching pfinfo. Spot checks also match, the VM configs are identical, including the interface names and enumeration order. When I do either a manual carp maintenance mode, or e.g. reboot the primary, the VIPs all migrate virtually instantly and as they should. If I'm 1/sec pinging a host routed through the firewall, it doesn't miss a ping on the takeover/giveback - good. There are no obvious errors in the system log during this process.

What doesn't work: even though the states are apparently replicated, just as the secondary takes over, it quietly drops 30-50% of its states by count. Not all, just some. If I'm logged in via TCP to that same host I'm pinging via firewall routing (requiring a state), that connection hangs until the primary takes over again. Manually inspecting the state tables for that host's IP on the backup/temp primary, all states for the host are among those that disappeared - so no surprise the connection hung. When I re-enable CARP and primary takes over again, state for that connection is re-replicated and data flows again. BTW this behavior occurs whether the VMs are on the same host or different hosts (latter the usual case for HW HA), so it's not a switch problem per se - seemingly already ruled that out. The loss of states appears to be occurring inside the secondary, because replication itself via the layers below, is otherwise working.

I've dug deep on the net for any clues, including running through the full CARP troubleshooting guide, including using unicast for state replication instead of the default directed multicast. (Both behave the same.) Still, something is causing loss of not all, but a portion of the states that were replicated and appeared in the secondary's state table. I don't see any clear pattern except that new(er) states seem to be the ones most likely lost.

I do use some policy routing on a couple internal interfaces, and tried disabling that with no behavior change. The topology here is pretty simple for the HA pair: a single WAN-facing interface towards my cable modem with outbound NAT enabled plus a handful of inbound port forwards, and several internal interfaces e.g. LAN, DMZ. One interface is dedicated to SYNC, has a wide-open firewall rule, and nothing about the interface seems to be a problem. All interfaces except SYNC host a CARP VIP. I am not using trunking inside pfSense but have brX devices on the host, one per VLAN defined via netplan. Once upon a time this worked seamlessly. I'm not aware of any config changes that would cause this.

I am running pfSense as a virtual machine connected to a Hetzner vSwitch (VLAN ID 4000).

I have two IPv4 subnets attached to the same Hetzner vSwitch (Layer-2 network):

• Existing subnet (working): 192.0.2.48/28
• Additional subnet (not working): 198.51.100.192/27

The pfSense VM has a single interface connected to this VLAN.

Current situation:

• pfSense is configured with an IP address from 192.0.2.48/28 on the interface
• This subnet works correctly (ICMP traffic is received, confirmed via packet capture)
• The additional /27 is shown in Hetzner as attached to the same vSwitch (not routed to the server’s public interface)

For testing purposes, I configured the IP 198.51.100.194 on the same pfSense interface using:

• Virtual IP (IP Alias)
• Virtual IP (Proxy ARP)

In both cases, pfSense does not receive any traffic for the 198.51.100.192/27 subnet.
A packet capture on the VLAN interface shows no ARP or ICMP traffic for addresses in the /27 subnet, while traffic for the /28 subnet is visible.

No NAT is involved; I only want pfSense to respond to ICMP for now.
Firewall rules allow ICMP to the interface and to the Virtual IP.

My question is:
What is the correct way in pfSense to handle multiple public subnets on the same VLAN/interface when they are delivered via a Hetzner vSwitch (Layer-2)?

Is IP Alias or Proxy ARP the correct approach in this scenario, or is some additional configuration required when multiple public subnets share the same interface?

Any guidance or similar experiences would be appreciated.

Thanks in advance.

I have a PfSense HA Setup using Wireguard Point-to-point with FRR/BGP to connect to 3 different Systems. The tunnels are setup on the CARP IP of the HA setup. Now I run into the problem, that I found no way to export/import or sync the Wireguard setup to Pfsense2.

Is there anything I oversee?

I need the same Keys and peers on the second Pfsense in case of the CARP switches to it. Otherwise I would have to create 3 extra Tunnels on Pfsense2?

Thank you for any hint.