@stephenw10 said in Incomplete VIP configuration on boot causing CARP failure (since 25.07 beta): Do you have two separate PPPoE links, one for each node then? Yes and no. Both nodes are configured for PPPoE with identical settings. I can bring up two PPPoE sessions to my ISP at the same time, but they likely don’t permit it, so I use a script that detects which HA node is Master and starts/stops the PPPoE session accordingly. The script has no impact during boot and includes a safety startup delay. I’ve tested with the script fully disabled — the behavior remains unchanged. @stephenw10 said in Incomplete VIP configuration on boot causing CARP failure (since 25.07 beta): Let me test. I tested this about two weeks ago, but I don’t remember the exact results because the run was interrupted by a continious fatal trap as you remember. I plan to re-run some tests—I don’t clearly remember the exact steps I took. There may be a link to the new PPPoE kernel module, but that’s just a guess.

@patient0 lmao yea I forgot to check the box thanks. As for the original post "User privileges ( admin group ) don't sync" issue. I went and tested again on the latest pfsense plus 25.07.1-RELEASE and the issue is resolved. The issue wasn't happening on CE and I tested to confirm that it's not happening on 2.8.1 so all good here.

So I'm back where I started following https://forum.netgate.com/topic/149472/solved-remote-dns-not-working-over-ipsec As WAN is not selected primary works, internal and external dns is reliable Secondary is slow on the webinterface and has basically no DNS nslookup google.de ;; communications error to 127.0.0.1#53: timed out ;; Got SERVFAIL reply from 127.0.0.1, trying next server ;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused ;; no servers could be reached So the secondary firewall is basically not listening to dns requests at all. As I removed now all DNS server on general settings to only use the root servers. (Identical behaviour for snmp monitoring, only the primary firewall can be monitored.)

@wmw509 what did you set as the 'Address' in the 'Translation' section, the WAN CARP VIP? Did you set up HA on WAN and LAN? Can you post the relevant infos, like IPs/Subnets used for WAN and LAN, pfSense Version used, hardware or VMs, how is WAN getting the IP?

@girkers said in Best way to set up and maintain a cold spare for pfSense 2.8.0 CE: How do others handle maintaining a cold spare so it’s ready to go at short notice? On my cold spare I load the current version of pfsense (and maintain it in the current series so configuration import is compatible) Load the configuration from the main unit. Most easily done via the GUI so interface reassignment can be easily seen. This is do both so plug and play will probably work but also as a dry run in-case a newer configuration has to be loaded in a hurry. Back up the main units configuration to a location accessible without a functioning pfsense router (to enable use during an emergency restore). I actually use my cold spare for other things when not needed as a router by running pfsense under Proxmox but configuring dual boot would achieve similar functionality

Alright last post from me. Leaving it here so someone can find it. The documentation concerning carp is wrong: "A High Availability cluster using CARP needs three IP addresses in each subnet along with a separate unused subnet for the Sync interface." The fact is, a High Availability cluster using CARP needs only one IP address. It only ever needed one IP address. This statement directly contradicts all the documentation available from carp(4) and the FreeBSD handbook. The distinction that I initially missed, but now have reread and understand is that when using a single IP assigned to a VIP, so long as there isn't an existing network with another IP in that same network, then the network for that VIP should in fact be a whatever that network is. Otherwise it should be a /32. Let's put it this way for a further understanding (sudo interface configuration): Server 1 (Primary): ifconfig em0 inet 192.168.0.10.1/24 ifconfig em0 inet 192.168.0.0.2/24 alias ifconfig em0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 alias Server 2 (Backup): ifconfig em0 inet 192.168.0.0.2/24 ifconfig em0 inet 192.168.0.0.3/24 alias ifconfig em0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 alias In the above example, if the OS chooses the VIP of 192.168.0.1/24 for packets sourced from Backup, Backup will never see the response, as they'll go to Primary instead. Going to primary is the expected part. Source selection of 192.168.0.1 is the unexpected but, It's unexpected because the netgate documentation is just wrong as this VIP should have been a /32. Documentation where the VIP isn't a /32 to which netgate is correct: Server 1 (Primary): ifconfig em0 inet 192.168.0.10.1/24 ifconfig em0 inet 192.168.0.1.1/24 alias ifconfig em0.123 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 alias Server 2 (Backup): ifconfig em0 inet 192.168.0.0.2/24 ifconfig em0 inet 192.168.0.1.2/24 alias ifconfig em0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 alias

@netblues The problem was with the outbound NAT rules. I had disabled our AD's VLAN so that it would connect to the internet using its own IP address rather than CARP, but I didn't realize that this would interfere. After enabling it, it worked correctly. Thanks for your help!

@viragomann said in No failover when Gateway is offline: Both? No, only the WAN cable connected to the primary device. @viragomann said in No failover when Gateway is offline: In a HA CARP setup the backup node gets CARP advertisements from the master on each interface. If this is missing, the it takes over the master role. But why doesn't it always take over all the interfaces ?

@viragomann The solution was to change the DocumentRoot from /var/lib/roundcube to /var/lib/roundcube/public_html, courtesy of the Roundcube forum. This is where my internet searches were giving the wrong DocumentRoot.

I agree with WoW that, even though it can be done, it's a level of complexity I don't really need. If, in real-world experience, a server switch is triggered just because a cable gets unplugged, I’ll see how I can work around it. @netblues thanks a lot for showing me a possible solution to my concern! Thank you very much to both of you for sharing your konowledge and time!!

@lbeard said in Dynamic dns don't work with carp ip: Done => https://redmine.pfsense.org/issues/16326 Great, thanks

@bimmerdriver You need one IP that can move between the routers. Technically both WANs can be private IPs…Comcast business allows for this even if their modem is bridged, then the shared IP is a public. Maybe that helps.

@georgelza said in multiple ISP/WAN interfaces: I want to make it as simple as possible, without me becoming their IT department.... Well, you ARE their it department. Leave it as it is, if it works why fix it?

Just for reference: https://docs.netgate.com/pfsense/en/latest/highavailability/index.html#switch-layer-2-concerns "switch must...Allow traffic to be sent and received using multiple MAC addresses"