• User privileges ( admin group ) don't sync.

    2
    0 Votes
    2 Posts
    345 Views
    M

    I am seeing a similar problem on pfSense+ 24.11 (patches applied).

    The ADMIN group being REMOVED from user rights assignments on secondary/backup HA cluster members any time the password is changed on the primary member.

    I am having to logon to the secondary members and manually add the user(s) back to the ADMIN group.

    This is not desired behavior, and I confirmed it is not happening on CE 2.7.2 (patches applied).

  • Custom CARP failover script - Not working?

    1
    0 Votes
    1 Posts
    206 Views
    No one has replied
  • 0 Votes
    6 Posts
    901 Views
    M

    @mike_vc

    I used to have this issue too, so on every new firewall I setup, I always make sure to add the following values under System, Advanced, System Tunables:

    net.inet.carp.preempt 1
    net.inet.carp.ifdown_demotion_factor 240

    Also, make sure that the primary firewall's CARP skew is 0, and the backup firewall's CARP skew is 100.

  • SYNC interfaces keeps being overwritten

    2
    0 Votes
    2 Posts
    380 Views
    M

    @michmoor Ok i know the problem. OPT interfaces are mismatched. I don't know how to align the OPT interfaces so the master and backup are in sync.

  • HAProxy backend hostname issues

    1
    0 Votes
    1 Posts
    316 Views
    No one has replied
  • HA Proxy, same server multiple ports (Turnkey Linux)

    4
    0 Votes
    4 Posts
    530 Views
    V

    @CreationGuy
    That's not a problem. However, you have to configure a separate backend for this. Then you can configure a frontend rule to forward certain traffic to it.

    Actually you have all three services within a single backend pool, all in active mode. Hence you cannot determine which per rule.
    HAproxy can only load balance between these backens this way.

  • HAproxy 503 error on secondary domain

    10
    0 Votes
    10 Posts
    1k Views
    A

    I got it working after creating a new server to replace the one serving butiktrip.2nd

  • strange connectivity errors in HA

    8
    0 Votes
    8 Posts
    801 Views
    P

    @viragomann
    Hi viragomann,

    thank you very much for your time and investigation. Your answer was very important bringing me back to the correct path for debugging. The reason, why clients can't reach the internet was an inconsistent configuration of pfBlockNG between the two HA members. I've ignored erros like this:

    /rc.filter_configure_sync: New alert found: Unresolvable source alias 'pfB_BinaryDefense_v4' for rule 'NAT Allow HTTPS_2_xxxxxxxx'
    Dec 14 16:17:17 svrfw02 php-fpm[32037]: /rc.filter_configure_sync: New alert found: Unresolvable source alias 'pfB_DNSBLIP_v4' for rule 'NAT Allow HTTP_2_xxxxxxxx'
    Dec 14 16:17:17 svrfw02 php-fpm[32037]: /rc.filter_configure_sync: New alert found: Unresolvable source alias 'pfB_DNSBLIP_v4' for rule 'NAT Allow HTTPS_2_xxxxxxxx'
    Dec 14 16:17:18 svrfw02 php-fpm[32037]: /rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:299: syntax error - The line in question reads [299]: rdr on lagg1.808 inet proto tcp from ! to 83.x.x.54 port 443 -> $SERVER_xxxxxxxx

    After fixing this, switching between carps members works correctly.
    Again, thank you for your assistance !!!!!

  • 0 Votes
    1 Posts
    201 Views
    No one has replied
  • Secondary machine freezes up.

    1
    0 Votes
    1 Posts
    249 Views
    No one has replied
  • ssh/webapp unavailable when in BACKUP mode

    1
    0 Votes
    1 Posts
    227 Views
    No one has replied
  • HA Config BIND DNS sync setup problem

    17
    0 Votes
    17 Posts
    3k Views
    B

    @kiokoman

    After years, new internet provider, same problem, we have managed to switch our rack hosted servert to ha, and the same config worked perfect on the other isp network. So the problem is related to the internet provider, but saddly they say everything is ok...But its workes, so the config is okay, just need a good isp endpoint :D

  • 0 Votes
    1 Posts
    170 Views
    No one has replied
  • WAN Gateway on Backup server in CARP shows down

    3
    0 Votes
    3 Posts
    294 Views
    S

    @SteveITS said in WAN Gateway on Backup server in CARP shows down:

    https://docs.netgate.com/pfsense/en/latest/recipes/high-availability.html#wan-addressing

    Hi @SteveITS
    Thanks for the prompt response. I have assinged uniqe ips on wan port of each pfsense box . and uniquie ip on lan of both pfsense.

    yet when a pfsense box is in Backup mode i cannot get to wan from it. all pings form it fails. eve cannot get a ping replies when i ping the wan ip of another pfsens which has wide open rule on that interface,

  • HA Sync does not work (Error: Operation timed out)

    2
    0 Votes
    2 Posts
    660 Views
    D

    Solution:

    I connected the two PFS with a virtual Switch (VXLAN+IPSEC). For this i had to lower the MTU to 1360. Unfortunatelly the Adapter in PFSense was set to 1500 and not appling for the new MTU.

    Setting down the MTU (in my case to 1360) manually in the SYNC-Interface-Options solved the problem.

  • no internet browsing via pfsense ha

    1
    0 Votes
    1 Posts
    129 Views
    No one has replied
  • dup on ping to external ip in carp setup

    2
    0 Votes
    2 Posts
    187 Views
    S

    @Snailkhan Have never seen that. Only one is Master?

    You’re NATting to the shared LAN IP? What is that for?

  • HA failover in case of one member interface down

    2
    0 Votes
    2 Posts
    238 Views
    V

    @Snailkhan
    Ensure that all interface pairs can communicate with the respective other node.

  • LAN communication via CARP IP

    2
    0 Votes
    2 Posts
    234 Views
    V

    @Snailkhan
    By default the primary interface IP is used for communication with other devices.

    If you want pfSense to use the CARP VIP you have to add an outbound NAT rule to LAN or the respective interface and set the CARP VIP as translation address.

    However, don't do this for any traffic! It would lead into issues with services running on both nodes, e.g. DHCP.
    So limit the destination (IP and port) to the domain controller or whatever you need it for.

  • HA/CARP with two WAN same /29

    3
    0 Votes
    3 Posts
    304 Views
    F

    @SteveITS I would prefer not to add more gear for now, since this is temporary until I have two pfSense units and CARP. Maybe I'll just have both connected, but configure the 2nd one in case of longer downtime then.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.