• Setting up HA Proxy for Internal Servers

    10
    0 Votes
    10 Posts
    817 Views
    V

    @doni49
    Sadly all screenshots are lost.

    If the browser doesn't show a certificate, either HAproxy does not deliver any, because it's not assigned correctly, or you are connected to the wrong host.

  • Manual fail over with subset of devices having access

    3
    0 Votes
    3 Posts
    345 Views
    A

    Thank you very much for your reply.

    I've managed to get it to work - thanks for your help. A couple of points:

    • I needed also to add a rule specifically to allow DNS traffic from the DNS Resolver in the firewall across the 4G WAN, otherwise DNS doesn't work (because it doesn't hit on the LAN rule)

    • In addition to changing the gateway manually (which is fine), I also need to tweak the DNS Resolver setting so that outbound requests go across the 4G WAN and not the normal WAN. Not sure if there's a way around that? If I enable both outgoing interfaces in DNS Resolver, then it seems to distribute DNS traffic even when the gateway doesn't need to failover.

  • Enter Persistent CARP Maintenance Mode not working

    1
    0 Votes
    1 Posts
    200 Views
    No one has replied
  • New Zealand for management and physical Netgear switch

    13
    0 Votes
    13 Posts
    952 Views
    V

    @johnpoz

    That is what I intended to say I am just dyslexic when it comes to VLANs.

  • Primary does not auto fallback with pfsense 2.7.2

    5
    0 Votes
    5 Posts
    649 Views
    J

    @SteveITS Thank you for this. I expected to see something similar with my primary's NICs. I did however set up CARP a number of times with the UI in 2.7.2, which may have triggered the problem in my case.

    I have bi-directional pfsync set up, but XMLRPC sync is only from the primary to the secondary.

    I will report the issue to the developers.

  • Backup Node Normal Behavior

    17
    0 Votes
    17 Posts
    1k Views
    V

    @CaptainKeyboard
    The hint to consider rule was in my first post.

    But glad, that's working now.

  • virual ip From ip alias to CARP type

    5
    0 Votes
    5 Posts
    679 Views
    T

    @viragomann thank you!

  • Is "mass addition" of IP Aliases possible?

    4
    0 Votes
    4 Posts
    377 Views
    M

    So I edited config.xml (plus 63 IP Aliases) and held my breath...

    The web interface of the secondary firewall became unresponsive for several minutes (the command line was still available). During this time, the secondary sent dozens of messages about assuming CARP state whatsoever.

    Eventually, things settled down and I could access the web interface again. I found that both firewalls considered themselves master for the "interface" CARP IP and all Alias IPs associated with it.

    I temporarily disabled CARP on both firewalls and enabled it again. Now things look okay.

  • Full-mesh using 2×Netgate 7100 1U + 2×Dell S4148T-ON

    Moved
    3
    0 Votes
    3 Posts
    765 Views
    V

    @nxsysop Hi, i know this is an old post, but wondering if your solution worked. We are also trying to setup using a pair of 8200's. We are going to use LACP, but wasn't sure if static or dynamic would work with the Dell switches which are setup using VLT. Thanks

  • Stop IGMP Proxy Service with CARP in status Backup

    2
    0 Votes
    2 Posts
    322 Views
    E

    I didn't find a solution until now to have HA with IGMP Proxy.

    Has somebody a solution which works fine?

  • WAN link unplugged, but LAN not failoverto Backup

    15
    0 Votes
    15 Posts
    1k Views
    P

    i have replicated topology in GNS3 Lab and have same issue:

    Immagine 2024-03-27 172830.jpg

  • CARP - VLAN VIPS showing master on both

    1
    0 Votes
    1 Posts
    268 Views
    No one has replied
  • Setup pfSync causes an instant crash pfsense 2.7

    9
    0 Votes
    9 Posts
    642 Views
    C

    @kprovost I have now got this working, I have no idea what I did differently but on two newly built virtual machines I have it working.

  • PfSense in Azure

    12
    0 Votes
    12 Posts
    4k Views
    B

    It’s generally recommended to avoid using the Virtual IP (VIP) to access the GUI for security reasons. The VIP is typically exposed to more traffic and potential attacks, so accessing the GUI through it could expose sensitive administrative interfaces. Instead, it’s safer to access the GUI from a management interface or VPN that’s not directly exposed to the internet. When you route all traffic from the Test subnet through the pfSense firewall using a specific LAN IP, you’re essentially creating a single point of failure. If you want to use the VIP (10.0.2.101) and still have the traffic appear to come from the load balancer’s public IP, you’ll need to ensure that the VIP is correctly configured for outbound NAT and that the load balancer is set up to handle outbound traffic from the VIP address.

  • IPSec taking long time to connect after CARP IP failover.

    7
    0 Votes
    7 Posts
    1k Views
    planedropP

    Are you using pfSense CE or Plus? I think that is my first follow up question, Plus is supposed to have some more "stuff" in it to help with IPsec failover delays, as mentioned in the docs.

    It's been a while since I've had to failover a node for testing so I could be remembering wrong but I think it was near instant failover. But the docs do mention it could take until the timeout of the tunnel if the peer is the one initiating.

    Do you have dead peer detection enabled and do you know if the other side of the tunnel does? That should in theory cause the peer to initiate the tunnel again quickly.

    Also, as far as I can tell, the backup node in the HA cluster should become an initiator when it's status changes to Master; I'm sure it is, but can you confirm (when in failover) that the primary says Backup and the secondary says Master? Just to be 100% sure that is working.

    Finally, from what I am seeing, I think it should work just as well without XLMRPC so that's the good news.

  • DNS resolution issue with High Availability

    11
    0 Votes
    11 Posts
    1k Views
    E

    @viragomann

    I watched all of netgate official tutorials.
    In one of them they mention that if my setup is structured as a DMZ, the outbound NAT should be set as default:

    https://www.youtube.com/watch?v=-UszV8qIaRw&t=2426s

    My setup is set as a DMZ
    COMCAST ROUTER -> DMZ WAN CARP IP (either pfsense1 or pfsense2)

    I removed the custom NAT outbound rules pointing to the WAN CARP IP, and left it at hybrid default rules.
    The DNS resolution is working now.

    Besides this small mention in a tutorial from 9 years ago, I do not see anywhere else this mention about DMZ in the documentation from netgate. Either way, it is working now. I hope this helps someone else in the future.

    Thank you for your help!

  • New to HA -- questions about DHCP server on LAN interface

    2
    0 Votes
    2 Posts
    250 Views
    D

    I checked the primary and secondary pfsense again last night. The dhcpd were on on both. I guess that is probably the intended behaviour. I see the failover dhcpd in the dhcp status page. I think I am all good. Thanks.

  • HA/CARP with EdgerouterX facing the Internet

    2
    0 Votes
    2 Posts
    421 Views
    R

    @reberhar Hi All

    The answer was already in the forum.

    https://forum.netgate.com/topic/182996/openvpn-with-ha-carp-not-connecting-on-vip

    Thanks for your patience.

    Roy

  • Vlan & HA

    18
    0 Votes
    18 Posts
    1k Views
    MrGamecaseM

    Ok, so scrambling round for an unused switc, i have discovered the Proxmox on its own wont do layer 2 switching.. once i plugged the 2 vPFsense into a switch they started behaving as expexted....

    All the CARP HA responded as primary & backup acordingly and failover works like a charm.

  • WAN down, but LAN will not failover to Backup FW

    1
    0 Votes
    1 Posts
    303 Views
    No one has replied
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.