@sgw They kind of do, but the bottom half has the crossed lines connecting to a line on the other side, not the bricks (firewall). What you described sounded right when I read it. I'd just draw it out on paper. Basically, for each interface, you need two ports and a switch. @sgw said in hardware needs to move to a cluster: I don't plan SYNC as VLAN, no I was just brainstorming sorry if I was confusing.

@netblues Right. Thank you very much.

@Chebec Have a read through: https://docs.netgate.com/pfsense/en/latest/development/patches/custom.html and the rest of the topic. If you add a patch, it should detect whether it can be Applied and will or will not show the Apply button, as I recall. There is also a Debug button to test. Normally a patch can be reverted via that button, yes, unless the target file is later changed. (after updating pfSense you would not want to revert a patch and reintroduce a bug, just delete the custom patch) Note there's a later patch ID in that redmine: 8544b85f8c32d0f180c09a4d0986ac819919bd2b As long as patches are from Netgate developers I would have no issue installing them. For random patches in the forum I'd be a bit more cautious. In either case you can see the code being changed, in the patch details. Edit: Marcos M in the redmine is a Negate dev.

@boumacor I'm not a huge fan of floating rules if they can be set as regular rules, since the, er, rules change for floating. Just to maintain clarity. However if the rule triggers and a state is open you're through pf. Does the pfSense routing table show a route for the 192.168.1.0/24 subnet? I would still be suspicious of the switch ignoring traffic outside its own subnet unless you're sure it will allow it. You could set an IP on some other device and ping it, to check the connection through pfSense.

@Derelict Yeah, that’d be the other option and basically what we did with the wildcard cert. Might be cleaner to let the certs sync. It just surprised me to carefully test it all on r2, set up one cert on r1, and everything disappeared on r2. We were using the wildcard in a lot of places but are looking to avoid replacing that many cert locations every 47 days going forward… :(

@stowemotion59 It is an entirely new OSPF session requiring a complete reconvergence so it should be fine.

@Barnzey90 do you have an account on https://redmine.pfsense.org/ to report the issue?

@netblues you can't really have carp failover without 3 ip's in the same subnet Depends, which is why I asked about it. We’ve set it up on Comcast/Xfinity using one shared static public IP and set the WAN IP on both routers in the default 10.1.10.x range. That works well. Docs cover only one IP but there’s no connectivity until failover: https://docs.netgate.com/pfsense/en/latest/highavailability/index.html#ip-address-requirements-for-carp If WAN2 is really only DHCP though then I don’t think there can be a shared IP.

@AlexMercer Move the webgui to 4443. Disable webConfigurator anti-lockout rule. Disable webConfigurator redirect rule. Add a specific rule for the internal interface (any LANish is good, preferrably the one which is your dedicated management LAN) to port 4443. This hardening and consistency ensures whatever goes wrong, any public WAN/443 combination won't ever reveal the webgui. Always remove excess rules- if you don't know why it is there, get rid of it.

What is the recommended method of ensuring high availability of a service running on or behind an HA cluster then? Require running the DynDNS client on a separate system (not the firewall itself?)

Been about 4 years... anyone have any thoughts on this? Syncing packages seems like it should be table stakes at least.

@beloc The short answer is yes you can edit the config file and upload. This can happen if interfaces are added out of order or inconsistently. Note the visible name label (MGMT below) is not necessarily the same as the internal name in the config file (opt4 below). <opt4> <descr>MGMT</descr> <if>igc3</if> <enable/> <spoofmac/> <ipaddr>x.x.x.x</ipaddr> <subnet>24</subnet> </opt4> Rules use the "opt4" name. States use the "igc3" name if "Interface Bound States" are used. If you find & replace just be careful to not replace strings in other places such as certificates.

@Jdwind I just meant, maybe duplicate their routing in the example.