@netblues The problem was with the outbound NAT rules. I had disabled our AD's VLAN so that it would connect to the internet using its own IP address rather than CARP, but I didn't realize that this would interfere. After enabling it, it worked correctly. Thanks for your help!

@viragomann said in No failover when Gateway is offline: Both? No, only the WAN cable connected to the primary device. @viragomann said in No failover when Gateway is offline: In a HA CARP setup the backup node gets CARP advertisements from the master on each interface. If this is missing, the it takes over the master role. But why doesn't it always take over all the interfaces ?

@viragomann The solution was to change the DocumentRoot from /var/lib/roundcube to /var/lib/roundcube/public_html, courtesy of the Roundcube forum. This is where my internet searches were giving the wrong DocumentRoot.

I agree with WoW that, even though it can be done, it's a level of complexity I don't really need. If, in real-world experience, a server switch is triggered just because a cable gets unplugged, I’ll see how I can work around it. @netblues thanks a lot for showing me a possible solution to my concern! Thank you very much to both of you for sharing your konowledge and time!!

@lbeard said in Dynamic dns don't work with carp ip: Done => https://redmine.pfsense.org/issues/16326 Great, thanks

@bimmerdriver You need one IP that can move between the routers. Technically both WANs can be private IPs…Comcast business allows for this even if their modem is bridged, then the shared IP is a public. Maybe that helps.

@georgelza said in multiple ISP/WAN interfaces: I want to make it as simple as possible, without me becoming their IT department.... Well, you ARE their it department. Leave it as it is, if it works why fix it?

Just for reference: https://docs.netgate.com/pfsense/en/latest/highavailability/index.html#switch-layer-2-concerns "switch must...Allow traffic to be sent and received using multiple MAC addresses"

@patient0 Thank you very much for yours knowledges.

@SteveITS Thanks for the link. I had not considered the VIP stacking idea. I'm not sure how much of an issue my setup will have with VIP multicast traffic on my WAN link but good to know this technique is available to reduce some of that. Again, thanks for the link.

@stephenw10 said in How to make HA on 2 pfSense on bare metal WITH 4 x UPLINKS WANs ?: Well it would remove load from the firewall. So if you were under a DDoS attack and needed to still route between internal subnets that could be useful. But it wouldn't help with the attack itself much. Agree! Anyway for middle/big DDoS better to deal on local ISPs + CloudFlare level. Here no room for edge FW… :) Let me to note, if thinking in “Zero thrust” direction, also FW on end local node/service as “fine tuning firewalling” would be great, because each end node better know what particular (and how) need to be secured. So at the end we build 3-layered (as minimum) defense: ACLs on edge ASIC-based switches; pfSense as edge FW; PF/IPF/IPFW FW (sertificates, tokens, etc…) on end node/service; What do You think about this 3-layered scheme, @stephenw10 ?

Happy to report that I was able to upgrade both of my servers to CE 2.8 with no issues. Everything still works as expected.

So thought about this a bit and realize I'd need to have the CARP VIP on the LAN to if nothing more facilitate the failover state on the WAN in the case of a LAN failure. CARP on here fails together so would still want the CARP VIP IP on the LAN even if I don't technically need it for routing traffic. Still could use some help on getting the next hop for the default route learned by my switches to be the VIP address and not the LAN interface IP.

I thought there was a doc page on this but can't find it. Maybe it was a forum post. All I can say is, it's supposed to move both. https://docs.netgate.com/pfsense/en/latest/highavailability/test.html#test-carp-failover notably, "Unplug the WAN or LAN cable" (my bold) I tried a quick search and found some really old stuff like https://www.reddit.com/r/PFSENSE/comments/4yebk5/comment/d6s45xk/ but note Jim-P I'm pretty confident is https://www.netgate.com/blog/author/jim-pingle.