Yes, the CARP traffic is allowed automatically. It is far too easy for user rules to break CARP unintentionally, and since it is multicast and thus only found in the local L2 segment, it is not a significant risk to allow the traffic. The automatic CARP rules also exempt CARP traffic from NAT.

Tjis issue is resolved

You can select what to be synced in System > High Availability Sync. pfBlockerNG and Suricata have options to enable sync of all settings, other packages may also have sync options.

@chris4916: This computer (Anne) requests IP and get offers from the 2 DHCP servers, with different IP. I'm just wondering how this work  ;) Notice that some devices are receiving same IP from each DHCP server. That is normal. They will both offer since they are both active, but whichever lease the client accepts will be shared between the two systems. @chris4916: Problem was with FW rules for incoming flow on the WAN "group" interface. Having removed these rules and replaced with rules on each WAN1 & WAN2 interface fixed this issue with incoming flow. Great!

–keepalive directive?

Hmm. I have never done an HA pair with an LDAP-configured authentication backend for the webgui (which will also be xmlrpc sync.) Later versions (including 2.4.X) fixed the long-standing issue of being unable to specify the xmlrpc username and password. It might be worth creating a local user on the primary, which should sync to the secondary, that specifically includes the System - HA node sync permission then specifying that user on the primary in the XMLRPC settings. The secondary is the one that is controlling where things are authenticated. Are you certain the user being specified is present there? Does the XMLRPC sync user and password pass on the secondary in Diagnostics > Authentication? Is there any significant delay? Are the Authentication servers specified identical on the primary and the secondary? Do both nodes pass Diagnostics > Authentication?  

You can't do that. Their AWS network will not allow the multicast between nodes, addresses are tied to specific instances, etc.

@coreybrett: If I ever run into this again and want to use the CARP option, would I need to fill in the Virtual IP Password, VHID Group or Advertising frequency when using a single firewall? Yes, you still need to fill that in even if it's a single unit since they are all required parameters to configure CARP.

Ahh, after re-read, re-read and re-read i found the solution! With 'The VPN tunnel network' they mean the subnet from the 'remote side' of the VPN tunnel. After change it works :)

Go to Firewall > NAT > Outbound: Make sure you have 'Manual (or Hybrid) Outbound NAT' and create an extra rule: WAN - This Firewall - * - * - * - (WAN CARP IP) - * Also i think you need to reboot so the apinger is refreshed.

THX for your help, and thx for the hint with udp, i think this is the problem, since the needed UDP traffic is not forwarded within these subnets. From Cisco i remember to configure ip helper addresses, f.e. UDP: 32410, 32412, 32413, 32414. ip helper-address 192.168.1.187 ip forward-protocol udp 32410 etc… is there something similar on pfsense?

Do you have any other suggestions? Yes. Upgrade.

Thanks for that! I double checked, and OpenVPN is not selected to sync.

@Derelict: It is those who are making you do this who don't understand. Yep. I guess i am not the only one.

Hard to say. But if the only difference is the CARP address being used for NAT that is where I would look. ISPs do crazy things. Also, you want to move that static port 500 NAT rule above the rule since, if left like that, it will never be matched. Unrelated to your speed issue. Just sayin'.