Yes. Just like you would with an rfc1918 network. If they routed 1.1.1.0/25 to you: Interface: 1.1.1.1 /25 Usable: 1.1.1.2 - 1.1.1.126 They'd set 1.1.1.1 as the gateway. Or you could configure DHCP to hand out the addresses if you wanted. You could also just use a /26, /27, /28, /29, /30, /31 on the inside interface and use the rest of the space for other purposes.

@derelict You know what, your right, sometimes the simplistic idea is the best one. Thank you

As long as you are not using it with an HA cluster, you could add an IP alias or CARP VIP inside the proxy ARP range without (many) issues. I would use IP alias only, not CARP VIP. With a CARP VIP there is a potential that equipment on the segment would get different ARP responses for the address. IP alias would be the same as Proxy ARP. If it's for HA, then toss out proxy ARP entirely.

@teamits this is what support has suggested and i will be doing that. THANKS! From support: %(#000000)[ix0 and ix1 will sense interface down/up as they are discrete router interfaces. SYNC on the switchport will not, but as it is not a CARP interface used to determine MASTER/BACKUP status (No CARP VIP on it) that will not affect the performance of the HA pair and it will failover normally. You would not want a failover event if the SYNC interface is disconnected anyway. If you reassign the LAN interface to one of the ix interfaces, you should simply be able to create a new interface for SYNC using the lagg0.4091 interface that should be available for use/assignment after reassigning LAN to ix0 or ix1. Then just number and add the firewall rules to SYNC interfaces on each side as usual. The default switch configuration should be adequate.]

Right. There was no CARP VIP on the secondary. A simple edit/save of that VIP on the primary should have taken care of it. Perhaps XMLRPC sync was not working/connected at the time that VIP was created or something else anomalous happened.

Moved to HA/Carp section.

Hi. Dont know if you re still on this but... i partially set up am ha environment using carp. However, I havemt been able to set up an ip sec vpn since I can’t put the same virtual public ip to both nodes. I have tried to fix fhis using azure load balancer but it is not working right.

@derelict said in High Availibility Failover stops SSH Session: @vadim1 said in High Availibility Failover stops SSH Session: VLAN200 tcp 10.10.231.252:38624 -> 10.10.231.253:519 ESTABLISHED:ESTABLISHED 0 / 0 0 B / 0 B VLAN200 tcp 10.10.231.252:38624 -> 10.10.231.253:519 ESTABLISHED:ESTABLISHED 619.731 K / 619.733 K 34.29 MiB / 34.29 MiB Those states are DHCP failover connections between the two firewalls and don't show anything about the SSH problems you are reporting. before failover Primary VLAN20 tcp 10.10.190.5:17979 -> 10.10.224.1:22 ESTABLISHED:ESTABLISHED 180 / 116 14 KiB / 14 KiB VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 11.598 K / 11.597 K 657 KiB / 657 KiB VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 0 / 0 0 B / 0 B BackUp VLAN20 tcp 10.10.190.5:17979 -> 10.10.224.1:22 ESTABLISHED:ESTABLISHED 0 / 0 0 B / 0 B VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 0 / 0 0 B / 0 B VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 11.439 K / 11.438 K 648 KiB / 648 KiB after failover Primary VLAN20 tcp 10.10.190.5:17979 -> 10.10.224.1:22 ESTABLISHED:ESTABLISHED 180 / 116 14 KiB / 14 KiB VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 11.765 K / 11.764 K 667 KiB / 667 KiB VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 0 / 0 0 B / 0 B BackUp VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 0 / 0 0 B / 0 B VLAN20 tcp 10.10.231.253:30816 -> 10.10.231.252:520 ESTABLISHED:ESTABLISHED 11.758 K / 11.757 K 666 KiB / 666 KiB If the DHCP servers are both set correctly (that setting should sync from primary to secondary), what do the clients report as their default gateway? default via 10.10.231.254 dev ens160 proto dhcp metric 100 but using traceroute it is going through 10.10.231.253, is it the way it should work or does it has to go through 10.10.231.254? traceroute to google.com (172.217.17.238), 30 hops max, 60 byte packets 1 localhost (10.10.231.253) 0.129 ms 0.157 ms 0.183 ms Generally, with pfsync running, if the clients are set to use the CARP VIP as their default gateway and outbound NAT for that client network uses the WAN CARP VIP for outbound NAT, then they will have synced states and a failover will not break the client connections. Looking at the states will not show the default gateway used but will show the outbound NAT used (if it is necessary to NAT).

OK, thanks!

When I try to change the Vlans I get a message: The following input errors were detected: •The VLAN tag cannot be changed while the interface is assigned. But in "Interfaces/ Interface Assignments" the WAN is the first interface , hence the only one that doesn't have a delete button. I cannot temporary assign another network port since they are all in use, and I cannot create a new one in the console because then I will clear all my Vlans config. ----while typing I thought of the workaround---- -I deleted one of the other interfaces (OPT11) -assigned the network port of that interface to my WAN connection -Changed the Vlan of the WAN Network Port -Reassign the Network port with the correct Vlan to the interface -Recreate the deleted OPT11 interface and assign it's original network port. Not a clean way of working , but it did the trick. Now I'm updating the version and I'll get my config Sync working. Thank you thesurf & Rico for the very valuable help!

Absolutely. That's what I would see. If as he wrote sees on the switchs advertisement and both send them my assumption is that he has a switch for each wan line. To work with carp as failover there are two options. A) connect both switches so the advertising packages can be seen by both pfsense. B) from each pfsense connect a port to each switch and setup two virtual IP with the regarding interfaces. Hope that is clear. Else please ask. Maybe I can later provide a drawing.

@alexniko finally I resolved. I reinstalled the system some times ago and have not checked the promiscuous mode on Wan interface. So lesson learned is check, check and check again.

Sounds like your pfsync (state sync) is not working. https://www.netgate.com/docs/pfsense/book/highavailability/pfsync-overview.html

You probably need to post your 1:1 NAT rules, port forward rules, and the rules on that WAN interface. Then be specific about what connections are not working, such as protocol, source address (outside is probably good enough) and destination address and port. When connecting into WAN, the port forwards will be processed first, then 1:1 NAT. Note that 1:1 NAT does not automatically add WAN rules as port forwards can do. In either case the WAN rules need to pass to the POST NAT address/port (the real, listening address/port on the destination server). Additionally the client is mentioning a host with a VIP cannot reach certain sites from the LAN side of the router. The logs at the time indicated seeing the LAN IP of the device hitting the WAN interface on the pfSense. How the hell does that happen?! Probably Outbound NAT. I would separate these two issues and treat them separately.

Does anyone have any ideas what could be causing this, or where I could look next to get any more useful debugging info?

Hello, resolved by move the "Configuration Synchronization Settings (XMLRPC Sync)" on the pfs1 that it is also the Master node.

They can't see each other's multicast CARP advertisements. Check your switching layer that they are both connected to.

HA needs static addresses, not PPPoE, DHCP, etc. The nodes also need identical interfaces on them.

I understand you may have a lot of support questions but would you mind answering my actual questions at the bottom if possible?