@timowevel Was there any solution? I am currently getting the same issue: XMLRPC Error A communications error occurred while attempting to call XMLRPC method host_firmware_version: Unable to connect to tls://10.0.1.3:443. Error: stream_socket_client(): Unable to connect to tls://10.0.1.3:443 (Unknown error) stream_socket_client(): Failed to enable crypto stream_socket_client(): SSL: Handshake timed out @ 2025-10-21 12:36:54 Primary Node shows errors Self-Signed Certs on both ends. Ping works both ends HTTPS Port Responds at both ends. NTP is in sync 2.8.1-RELEASE (amd64) built on Tue Sep 9 12:29:00 EDT 2025 FreeBSD 15.0-CURRENT

@Deputize2180 Unicast is most probably the only viable test, but I doubt it will fix things. Most probably the isp modem has issues with carp and will never work properly. I'm not aware of any other tunable options too. (and I do hope I'm wrong)

[image: 1760762744141-28314b2f-5d26-45d9-b6ae-381f978856b4-image.png] [image: 1760762785716-ee139398-adef-4d64-8ce4-bba8cce70782-image.png] config-pfSense.home.arpa-20251018044835.xml.zip u/p=admin/pfsense In case you are installing in the VM just import the machine into the Virtualbox, and install 2.8.1, then apply configuration. pfsense28_small_export.7z Should be resulted in: [image: 1760763171045-f75dffbe-bbb2-4f11-87bb-4739d1928c76-image.png] vtnet0: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: wan2 options=900b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,LINKSTATE> ether 08:00:27:9d:bc:aa inet 10.0.2.15 netmask 0xffffff00 broadcast 10.0.2.255 inet6 fe80::a00:27ff:fe9d:bcaa%vtnet0 prefixlen 64 scopeid 0x1 inet6 fd17:625c:f037:2:a00:27ff:fe9d:bcaa prefixlen 64 autoconf pltime 14400 vltime 86400 media: Ethernet autoselect (10Gbase-T <full-duplex>) status: active nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> vtnet1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 options=4800bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE,TXCSUM_IPV6> ether 08:00:27:f9:2b:76 inet6 fe80::a00:27ff:fe9d:bcaa%vtnet1 prefixlen 64 scopeid 0x2 media: Ethernet autoselect (10Gbase-T <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> vtnet2: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: SYNC options=800b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE> ether 08:00:27:77:b8:2c inet 10.0.222.1 netmask 0xffffff00 broadcast 10.0.222.255 inet6 fe80::a00:27ff:fe77:b82c%vtnet2 prefixlen 64 scopeid 0x3 media: Ethernet autoselect (10Gbase-T <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> vtnet3: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 options=4800bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE,TXCSUM_IPV6> ether 08:00:27:42:e3:96 inet6 fe80::a00:27ff:fe9d:bcaa%vtnet3 prefixlen 64 scopeid 0x4 media: Ethernet autoselect (10Gbase-T <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> vtnet4: flags=1008802<BROADCAST,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 options=4c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,TXCSUM_IPV6> ether 08:00:27:67:ea:41 media: Ethernet autoselect (10Gbase-T <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> enc0: flags=0 metric 0 mtu 1536 options=0 groups: enc nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384 options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> inet 127.0.0.1 netmask 0x0 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 groups: lo nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> pflog0: flags=100<PROMISC> metric 0 mtu 33152 options=0 groups: pflog pfsync0: flags=1000041<UP,RUNNING,LOWER_UP> metric 0 mtu 1500 options=0 syncdev: vtnet2 syncpeer: 10.0.222.1 maxupd: 128 defer: off version: 1400 syncok: 1 groups: pfsync lagg0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: LAN options=4800bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE,TXCSUM_IPV6> ether 08:00:27:42:e3:96 hwaddr 00:00:00:00:00:00 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::a00:27ff:fe42:e396%lagg0 prefixlen 64 scopeid 0xa inet6 fe80::1:1%lagg0 prefixlen 64 scopeid 0xa laggproto failover lagghash l2,l3,l4 laggport: vtnet3 flags=5<MASTER,ACTIVE> groups: lagg media: Ethernet autoselect status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> lagg1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 options=4800bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE,TXCSUM_IPV6> ether 08:00:27:f9:2b:76 hwaddr 00:00:00:00:00:00 inet6 fe80::a00:27ff:fef9:2b76%lagg1 prefixlen 64 scopeid 0xb laggproto failover lagghash l2,l3,l4 laggport: vtnet1 flags=5<MASTER,ACTIVE> groups: lagg media: Ethernet autoselect status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> vtnet0.87: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: wifiap options=80000<LINKSTATE> ether 08:00:27:9d:bc:aa inet 10.0.87.2 netmask 0xffffff00 broadcast 10.0.87.255 inet 10.0.87.5 netmask 0xffffff00 broadcast 10.0.87.255 vhid 3 inet6 fe80::a00:27ff:fe9d:bcaa%vtnet0.87 prefixlen 64 scopeid 0xc inet6 fe80::1:1%vtnet0.87 prefixlen 64 scopeid 0xc groups: vlan carp: MASTER vhid 3 advbase 1 advskew 254 peer 224.0.0.18 peer6 ff02::12 vlan: 87 vlanproto: 802.1q vlanpcp: 0 parent interface: vtnet0 media: Ethernet autoselect (10Gbase-T <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> pppoe0: flags=1008851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1492 description: WAN options=0 inet6 fe80::a00:27ff:fe9d:bcaa%pppoe0 prefixlen 64 tentative scopeid 0xd groups: pppoec nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

@SteveITS I 'm fully aware that a virtual ip doesn't have its own interface etc. It just BEHAVES as if it had one. obviously , yes carp is operating correctly. [image: 1760670558061-ec557a82-5566-49bd-8e9e-87179c7ab9f7-image.png] [image: 1760670587951-4d4c2cc1-e78d-4ba9-af33-9753c8c19cae-image.png]

@chiefsfan Can you post the config for the carp? Anything so someone else can verify all looks correct.

@patient0 lmao yea I forgot to check the box thanks. As for the original post "User privileges ( admin group ) don't sync" issue. I went and tested again on the latest pfsense plus 25.07.1-RELEASE and the issue is resolved. The issue wasn't happening on CE and I tested to confirm that it's not happening on 2.8.1 so all good here.

So I'm back where I started following https://forum.netgate.com/topic/149472/solved-remote-dns-not-working-over-ipsec As WAN is not selected primary works, internal and external dns is reliable Secondary is slow on the webinterface and has basically no DNS nslookup google.de ;; communications error to 127.0.0.1#53: timed out ;; Got SERVFAIL reply from 127.0.0.1, trying next server ;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused ;; no servers could be reached So the secondary firewall is basically not listening to dns requests at all. As I removed now all DNS server on general settings to only use the root servers. (Identical behaviour for snmp monitoring, only the primary firewall can be monitored.)

@wmw509 what did you set as the 'Address' in the 'Translation' section, the WAN CARP VIP? Did you set up HA on WAN and LAN? Can you post the relevant infos, like IPs/Subnets used for WAN and LAN, pfSense Version used, hardware or VMs, how is WAN getting the IP?

@girkers said in Best way to set up and maintain a cold spare for pfSense 2.8.0 CE: How do others handle maintaining a cold spare so it’s ready to go at short notice? On my cold spare I load the current version of pfsense (and maintain it in the current series so configuration import is compatible) Load the configuration from the main unit. Most easily done via the GUI so interface reassignment can be easily seen. This is do both so plug and play will probably work but also as a dry run in-case a newer configuration has to be loaded in a hurry. Back up the main units configuration to a location accessible without a functioning pfsense router (to enable use during an emergency restore). I actually use my cold spare for other things when not needed as a router by running pfsense under Proxmox but configuring dual boot would achieve similar functionality

Alright last post from me. Leaving it here so someone can find it. The documentation concerning carp is wrong: "A High Availability cluster using CARP needs three IP addresses in each subnet along with a separate unused subnet for the Sync interface." The fact is, a High Availability cluster using CARP needs only one IP address. It only ever needed one IP address. This statement directly contradicts all the documentation available from carp(4) and the FreeBSD handbook. The distinction that I initially missed, but now have reread and understand is that when using a single IP assigned to a VIP, so long as there isn't an existing network with another IP in that same network, then the network for that VIP should in fact be a whatever that network is. Otherwise it should be a /32. Let's put it this way for a further understanding (sudo interface configuration): Server 1 (Primary): ifconfig em0 inet 192.168.0.10.1/24 ifconfig em0 inet 192.168.0.0.2/24 alias ifconfig em0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 alias Server 2 (Backup): ifconfig em0 inet 192.168.0.0.2/24 ifconfig em0 inet 192.168.0.0.3/24 alias ifconfig em0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 alias In the above example, if the OS chooses the VIP of 192.168.0.1/24 for packets sourced from Backup, Backup will never see the response, as they'll go to Primary instead. Going to primary is the expected part. Source selection of 192.168.0.1 is the unexpected but, It's unexpected because the netgate documentation is just wrong as this VIP should have been a /32. Documentation where the VIP isn't a /32 to which netgate is correct: Server 1 (Primary): ifconfig em0 inet 192.168.0.10.1/24 ifconfig em0 inet 192.168.0.1.1/24 alias ifconfig em0.123 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 alias Server 2 (Backup): ifconfig em0 inet 192.168.0.0.2/24 ifconfig em0 inet 192.168.0.1.2/24 alias ifconfig em0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 alias

@netblues The problem was with the outbound NAT rules. I had disabled our AD's VLAN so that it would connect to the internet using its own IP address rather than CARP, but I didn't realize that this would interfere. After enabling it, it worked correctly. Thanks for your help!

@viragomann said in No failover when Gateway is offline: Both? No, only the WAN cable connected to the primary device. @viragomann said in No failover when Gateway is offline: In a HA CARP setup the backup node gets CARP advertisements from the master on each interface. If this is missing, the it takes over the master role. But why doesn't it always take over all the interfaces ?

@viragomann The solution was to change the DocumentRoot from /var/lib/roundcube to /var/lib/roundcube/public_html, courtesy of the Roundcube forum. This is where my internet searches were giving the wrong DocumentRoot.

I agree with WoW that, even though it can be done, it's a level of complexity I don't really need. If, in real-world experience, a server switch is triggered just because a cable gets unplugged, I’ll see how I can work around it. @netblues thanks a lot for showing me a possible solution to my concern! Thank you very much to both of you for sharing your konowledge and time!!