@Snailkhan said in WAN Gateway on Backup server in CARP shows down:

wan and lan has carp ip assgined

Just to be clear WAN and LAN should have their own unique IP addresses:

https://docs.netgate.com/pfsense/en/latest/recipes/high-availability.html#wan-addressing

Each router should be able to get to the Internet even without CARP set up. That way they can, for instance, update pfSense while the other router is the Master.

And then the shared CARP IP is used for outbound NAT if you're using NAT:

https://docs.netgate.com/pfsense/en/latest/recipes/high-availability.html#configure-outbound-nat-for-carp

Solution:

I connected the two PFS with a virtual Switch (VXLAN+IPSEC). For this i had to lower the MTU to 1360. Unfortunatelly the Adapter in PFSense was set to 1500 and not appling for the new MTU.

Setting down the MTU (in my case to 1360) manually in the SYNC-Interface-Options solved the problem.

@Snailkhan Have never seen that. Only one is Master?

You’re NATting to the shared LAN IP? What is that for?

@Snailkhan
Ensure that all interface pairs can communicate with the respective other node.

@Snailkhan
By default the primary interface IP is used for communication with other devices.

If you want pfSense to use the CARP VIP you have to add an outbound NAT rule to LAN or the respective interface and set the CARP VIP as translation address.

However, don't do this for any traffic! It would lead into issues with services running on both nodes, e.g. DHCP.
So limit the destination (IP and port) to the domain controller or whatever you need it for.

@SteveITS I would prefer not to add more gear for now, since this is temporary until I have two pfSense units and CARP. Maybe I'll just have both connected, but configure the 2nd one in case of longer downtime then.

i have the exact set up but not able to sync

@Sergei_Shablovsky said in How to make HA on 2 pfSense on bare metal WITH 4 x UPLINKS WANs ?:

Is that possible to use LACP also for CARP SYNC, if I have 2 interfaces of NICs for this purpose?

I don't think it is necessary, the SYNC interface doesn't use that much of traffic, as far as I'm concerned, firewall states and configuration changes only (If I'm wrong about this, please someone correct me).

And what about using LACP from firewalls to upstream switches (igb2 - igb5) ?

That would help only if your internet link is above 1Gbps. Although a single client would never go beyond 1Gbps anyway.
That setup above is considering intervlan traffic along with 1Gbps internet links, to don't bottleneck anything.

Another approach would be to update all the NICs in the computers to 2.5Gbps, get 2.5Gbps switches with 10Gbps uplink ports to the firewall, then connect the NAS to another 10Gbps port, use the remaining 2.5Gbps ports to connect to the ISP routers/gateways, if those have 2.5Gbps.
By doing like this, a single client would be able to reach 2.5gbps to the WAN.
You could also do LACP with 2.5Gbps ports.

And THANK YOU SO MUCH for networking passion and patience!

:) My pleasure

@louis2

I think separate back-ends for IPV4 and IPV6 are not necessary not even a good idea since the proxy has two completely isolated connections. One to the front end, one to the server.

So I decided to handle all server related connections via IPV4 since local IPV4 can not be reached from the internet.

That action already reduced the number of backends by a factor two 😊

@louis2

I worked around the problem by defining the mail-server addresses in my local DNS and using those names in the GUI. Never the less it is definitively not OK

Also note that I had the problem back when switching the health check on (to basic). Even more obscure switching the problem did persist when switching the health check off again.

No idea how the check should be done since there is no proper field to define the health check port number.