@Delegator5042 said in Setting up CARP Master and Backup on a per VLAN basis (Like VRRP): is it possible?: I've read that you can use a switch on the ISP Ethernet connection so it could be shared with multiple routers, but I haven't tried this. Yes, put a small switch into each line or even a VLAN capable switch and split it into two virtual switches. Consider that for CARP, you need an IP on each pfSense and a third as VIP. So you should have 3 IPs on each. If you haven't there is also a way to configure private IPs on the boxes, but this has some drawbacks. I would still like to know if I could force a vlan (or subnet) to use a specific gateway and only when that gateway is down to send the traffic over to designated backup connection. You can configure a gateway group and set this as default gateway. For routing traffic other than according the default gateway you can do policy routing by stating a gateway in the firewall pass rule. You your purposes you can configure an additional gateway group, say with inverted priorities, and use this in the policy routing rule.

@jimp Yea i know - but there is no other way when a single instance can not take the load, especially since it's a single CPU process only (see load below) - other ways to solve this ? please enlighten me :-) [image: 1692776780460-cce21a91-f3c8-4bdf-ab67-99f1a3fc7d85-image.png] I have handled this in the past by simply unlink CARP sync and manually set skew for VIP's to loadbalance load over two HA's Example: so some customers has fw1 as primary and some other customers has fw2 as primary - failover still works.

@johnpoz Thank you so much. I configured followed your comment.

@viragomann said in ACL conditions: So are these IPs behind pfSense or are these IPs assigned to WAN? Ok, so we are using this in L4 mode, and it's working fine. To reply to you we have no need to hide those public IPs, for us those are on a DMZ assigned to our WAN, so it's ok. Thanks for your support Virago, sadly we are struggling a bit on this.

@nouman786 Which OpenVPN client are you talking about? Incoming connections to the firewall or outgoing from behind pfSense? If the issue is on incoming connections, do you connect to the WAN CARP VIP? Is your HA setup working properly, so that all interfaces are in master state on the primary and in backup on the secondary? Are all devices inside your network using the CARP VIP as their default gateway?

@jimp Sorry for my late reply. I performed several tests and CARP is working fine now :) Thanks for your help!

@Astartes said in Pfsense and NordVPN: let the solution start here Not here. This is the Home > pfSense Software > HA/CARP/VIPs so no VPN talk here. Look here : Home > pfSense Software > OpenVPN and you'll find some recent NordVPN discussions.

FWIW, I found this older post from 2018 from @bw-linux who had the exact same issue as me. https://forum.netgate.com/topic/134297/cox-and-the-carp-mac Anyway, the short answer is that they weren't able to get it to work and it CARP/VRRP doesn't appear to be supported properly by the cable modems. I think the only way we could get it to work would be to get pfsense to always respond/send traffic for the CARP IP using the same MAC instead of the MAC address of whatever device is primary.

Thanks @viragomann

@Magoogle Check Status > Gateways. Is the tier2 the default now?

@netblues said in Configure an PPPoE on an CARP IF: This never really worked. pppoe running on a carp interface isn't an option. It sure is. We have a few customers set up that way and working well - within boundaries. Of course in such a setup the secondary node of a CARP setup won't easily have internet which is/can be a problem and as such the setup isn't really recommended. But it IS working though. It's important to check though that both nodes on it's WAN "carrier" interface are connected to each other and the DSL modem correctly so both have access to dial-in if needed. If that's set up correctly it's a relatively simple setup: either node gets the physical interface for the PPPoE connection assigned with its own IP, say 10.12.34.251 and .252 check pinging from one to the other and back (allow ICMP on that interface first) then add a CARP VIP to it, e.g. .254 - that one should now be active on the primary node anad backup on the secondary node. If that is not the case you don't need to proceed with PPPoE stuff. That's basic CARP that should be working first! If that's running you can now add the PPPoE interface but as carrier you don't choose your physical interface BUT the NEW CARP VIP you created (yes, that .254 one from above!) This ensures the PPPoE connection switches from node 1 to 2 and back if needed. Then set up PPPoE as usual. When finished assign that interface (pppoe0) as your WAN_PPPoE or something else like it. THAT one is your actual WAN, the other physical interface and the VIP on it are only a sort-of transfer/carrier network. Cheers

@reberhar Yes of course. Why would you want to choose a gateway for every rule. I was just caught in the verbage.