@Barnzey90 do you have an account on https://redmine.pfsense.org/ to report the issue?

@netblues you can't really have carp failover without 3 ip's in the same subnet Depends, which is why I asked about it. We’ve set it up on Comcast/Xfinity using one shared static public IP and set the WAN IP on both routers in the default 10.1.10.x range. That works well. Docs cover only one IP but there’s no connectivity until failover: https://docs.netgate.com/pfsense/en/latest/highavailability/index.html#ip-address-requirements-for-carp If WAN2 is really only DHCP though then I don’t think there can be a shared IP.

@AlexMercer Move the webgui to 4443. Disable webConfigurator anti-lockout rule. Disable webConfigurator redirect rule. Add a specific rule for the internal interface (any LANish is good, preferrably the one which is your dedicated management LAN) to port 4443. This hardening and consistency ensures whatever goes wrong, any public WAN/443 combination won't ever reveal the webgui. Always remove excess rules- if you don't know why it is there, get rid of it.

What is the recommended method of ensuring high availability of a service running on or behind an HA cluster then? Require running the DynDNS client on a separate system (not the firewall itself?)

Been about 4 years... anyone have any thoughts on this? Syncing packages seems like it should be table stakes at least.

@beloc The short answer is yes you can edit the config file and upload. This can happen if interfaces are added out of order or inconsistently. Note the visible name label (MGMT below) is not necessarily the same as the internal name in the config file (opt4 below). <opt4> <descr>MGMT</descr> <if>igc3</if> <enable/> <spoofmac/> <ipaddr>x.x.x.x</ipaddr> <subnet>24</subnet> </opt4> Rules use the "opt4" name. States use the "igc3" name if "Interface Bound States" are used. If you find & replace just be careful to not replace strings in other places such as certificates.

@Jdwind I just meant, maybe duplicate their routing in the example.

@louis2 When you click on the three points on the upper right side, there should be an option to start a chat.

@louis2 [image: 1764426797353-cc6d5848-ab46-499c-bd4e-4021f820d63f-image.png] How about custom? and then an action. Yes it is not intuitive or easy, and no, I don't have that much experience on that, but the options exist.

So I disconnected the backup device and my network is back to normal (even though I haven't removed the CARP and HA settings yet). Just for the sake of testing, I configured two identical Steelheads CX770s with Opnsense and got the same results as with pfSense. I get the same results with two sets of completely different hardware! How can this be possible?! I thought it was the connection to the switch (since both firewalls connect to the same stack) but as soon as I remove the backup unit from the HA setup, all network connectivity is restored. Has anyone here encountered this problem before? Martin M. Mune US Army Combat Veteran Operation Iraqi Freedom Volunteer Soldier International Legion for the Defense of Ukraine Слава Україні! Героям Слава!

@UserCo I'm seeing something similar. I've had terrible luck with keadhcp in HA mode. It works, until it randomly doesnt. This last time for me the logging just stopped a day or two before I noticed and the last message was that it couldnt reach the HA partner. The web UI showed that everything was fine, restarted the services on both nodes and that did nothing. Ended up rebooting both to get it back.

@AaronH said in HA WAN Configuration - The first router to boot occupies all available IP's on the WAN interface: When connecting the HA cluster, the first router to boot claims all of the available IP's on the subnet So did you assign all available IPs to the router? If we connect two laptops with the same IP addresses to the Comcast network, both can function as expected with no issues. Both with the same IP??

@timowevel Was there any solution? I am currently getting the same issue: XMLRPC Error A communications error occurred while attempting to call XMLRPC method host_firmware_version: Unable to connect to tls://10.0.1.3:443. Error: stream_socket_client(): Unable to connect to tls://10.0.1.3:443 (Unknown error) stream_socket_client(): Failed to enable crypto stream_socket_client(): SSL: Handshake timed out @ 2025-10-21 12:36:54 Primary Node shows errors Self-Signed Certs on both ends. Ping works both ends HTTPS Port Responds at both ends. NTP is in sync 2.8.1-RELEASE (amd64) built on Tue Sep 9 12:29:00 EDT 2025 FreeBSD 15.0-CURRENT

@Deputize2180 Unicast is most probably the only viable test, but I doubt it will fix things. Most probably the isp modem has issues with carp and will never work properly. I'm not aware of any other tunable options too. (and I do hope I'm wrong)

[image: 1760762744141-28314b2f-5d26-45d9-b6ae-381f978856b4-image.png] [image: 1760762785716-ee139398-adef-4d64-8ce4-bba8cce70782-image.png] config-pfSense.home.arpa-20251018044835.xml.zip u/p=admin/pfsense In case you are installing in the VM just import the machine into the Virtualbox, and install 2.8.1, then apply configuration. pfsense28_small_export.7z Should be resulted in: [image: 1760763171045-f75dffbe-bbb2-4f11-87bb-4739d1928c76-image.png] vtnet0: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: wan2 options=900b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,LINKSTATE> ether 08:00:27:9d:bc:aa inet 10.0.2.15 netmask 0xffffff00 broadcast 10.0.2.255 inet6 fe80::a00:27ff:fe9d:bcaa%vtnet0 prefixlen 64 scopeid 0x1 inet6 fd17:625c:f037:2:a00:27ff:fe9d:bcaa prefixlen 64 autoconf pltime 14400 vltime 86400 media: Ethernet autoselect (10Gbase-T <full-duplex>) status: active nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> vtnet1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 options=4800bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE,TXCSUM_IPV6> ether 08:00:27:f9:2b:76 inet6 fe80::a00:27ff:fe9d:bcaa%vtnet1 prefixlen 64 scopeid 0x2 media: Ethernet autoselect (10Gbase-T <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> vtnet2: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: SYNC options=800b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE> ether 08:00:27:77:b8:2c inet 10.0.222.1 netmask 0xffffff00 broadcast 10.0.222.255 inet6 fe80::a00:27ff:fe77:b82c%vtnet2 prefixlen 64 scopeid 0x3 media: Ethernet autoselect (10Gbase-T <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> vtnet3: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 options=4800bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE,TXCSUM_IPV6> ether 08:00:27:42:e3:96 inet6 fe80::a00:27ff:fe9d:bcaa%vtnet3 prefixlen 64 scopeid 0x4 media: Ethernet autoselect (10Gbase-T <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> vtnet4: flags=1008802<BROADCAST,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 options=4c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,TXCSUM_IPV6> ether 08:00:27:67:ea:41 media: Ethernet autoselect (10Gbase-T <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> enc0: flags=0 metric 0 mtu 1536 options=0 groups: enc nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384 options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> inet 127.0.0.1 netmask 0x0 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 groups: lo nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> pflog0: flags=100<PROMISC> metric 0 mtu 33152 options=0 groups: pflog pfsync0: flags=1000041<UP,RUNNING,LOWER_UP> metric 0 mtu 1500 options=0 syncdev: vtnet2 syncpeer: 10.0.222.1 maxupd: 128 defer: off version: 1400 syncok: 1 groups: pfsync lagg0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: LAN options=4800bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE,TXCSUM_IPV6> ether 08:00:27:42:e3:96 hwaddr 00:00:00:00:00:00 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::a00:27ff:fe42:e396%lagg0 prefixlen 64 scopeid 0xa inet6 fe80::1:1%lagg0 prefixlen 64 scopeid 0xa laggproto failover lagghash l2,l3,l4 laggport: vtnet3 flags=5<MASTER,ACTIVE> groups: lagg media: Ethernet autoselect status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> lagg1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 options=4800bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE,TXCSUM_IPV6> ether 08:00:27:f9:2b:76 hwaddr 00:00:00:00:00:00 inet6 fe80::a00:27ff:fef9:2b76%lagg1 prefixlen 64 scopeid 0xb laggproto failover lagghash l2,l3,l4 laggport: vtnet1 flags=5<MASTER,ACTIVE> groups: lagg media: Ethernet autoselect status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> vtnet0.87: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: wifiap options=80000<LINKSTATE> ether 08:00:27:9d:bc:aa inet 10.0.87.2 netmask 0xffffff00 broadcast 10.0.87.255 inet 10.0.87.5 netmask 0xffffff00 broadcast 10.0.87.255 vhid 3 inet6 fe80::a00:27ff:fe9d:bcaa%vtnet0.87 prefixlen 64 scopeid 0xc inet6 fe80::1:1%vtnet0.87 prefixlen 64 scopeid 0xc groups: vlan carp: MASTER vhid 3 advbase 1 advskew 254 peer 224.0.0.18 peer6 ff02::12 vlan: 87 vlanproto: 802.1q vlanpcp: 0 parent interface: vtnet0 media: Ethernet autoselect (10Gbase-T <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> pppoe0: flags=1008851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1492 description: WAN options=0 inet6 fe80::a00:27ff:fe9d:bcaa%pppoe0 prefixlen 64 tentative scopeid 0xd groups: pppoec nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>