Thank you. I thought it is correct behavior, just wanted to confirm.

@william-mandell I'm guessing one is a WAN IP or other interface, since it's the same device?

The traffic graphs use some level of smoothing so they are probably just being generated enough apart to appear different.

Is there a second one? (you posted this in the HA subforum...)

@spunky_surveyor It appears that even if you specify

listening_ip=eth0/24

in

/var/etc/miniupnpd.conf

it won't bind to the CARP VIP.

As a result UPnP will work with some applications that don't mind the fact that the router IP advertises itself. But NAT-PMP and many others will fail because the VIP isn't getting picked up by the miniupnp daemon. This appears to be fixed in miniupnp upstream and is an old bug in PFSense due to an ancient historical lack of multicast support in CARP VIPs.

A workaround for NAT-PMP is to create a NAT Port Forward for:

CARP IP : UDP 5351 to Router IP : UPD 5351

Can anyone give some pointer on this?

@mrpete

I also have a century link connection that runs on VLAN 201. I currently have the modem in bridge mode and have PFSense taking care of the log in.

I am currently struggling with setting up the CARP properly on the boxes. Do you have a guide that I could follow?

@wifi75 Up until relatively recently pfSense needed the same hardware on both in order to sync states. However as of 22.01/2.6, that's no longer a requirement. So it should be possible to use any hardware.
https://docs.netgate.com/pfsense/en/latest/highavailability/pfsync.html#pfsync-and-physical-interfaces

Well alllllrighty then haha. Thanks for the quick reply!

So from an old ticket:

https://redmine.pfsense.org/issues/7010?tab=notes

I'm confused why aliases on loopback interfaces would need a sync for HA cluster

I think there needs to be some work done e.a redesign of the whole xmlrpc process thing.
I could easily see times that one firewall is broken and it takes weeks to perhaps months ( depending on supply of hardware vendor ) to get replaced and sycing can be moved back to original primary device.

There should become an option to track changes on secondary device and have information tracking on primary device and as soon primary comes online there should become an option to sync the rules between devices.

So basically what I am saying here is that a secondary node should have more involvement in this whole xmlrpc config process.

Like there should also become an option when primary comes back online you can still keep the secondary running as the main firewall rule util you are sure the primary firewall is working correctly again.

Just my 2 cents of thoughts.

Since CARP does not work on cloud virtual environments (AWS, Google, Oracle cloud, etc), is there any other way to make pfSense work in HA configuration for cloud environments?
If not, is there any plan to make HA cloud configuration to work in the near future?

@spectre-988
The clients use for DNS, what you tell them to use.
Enter the CARP IP as DNS server, and the will send request to it.

If they are configured by DHCP, tell the DHCP to send the CARP IP for DNS.
In pfSense DHCP server you can enter it at "DNS servers".

Well, it can be done, with minimal changes.
You need to change local ip's and make ha ones as vip
Not a big thing

But, do keep in mind that all interfaces have to be created in the same order in both ha instances.

You will need some experience with the ha setup.
Many things can go wrong if you don't know what you are doing. (as is usually the case too)

I strongly suggest to setup a lab and experiment with ha setup. When you will feel confident, you can proceed with the real thing.
Doing such chores on a live system without prior experience will probably cause significant downtime.

@dara said in pfSense CARP + Cisco N5k vPC:

@philippe-richard Hi Philippe, Thanks a lot. This is more complete and interesting than our setup.

I wonder how you configured the connection between the routers and switches?

In my setup, each router has a single connection to a single switch configured as an Orphan port. For now it is working perfectly.

I am not sure however how it will handle different link and device failure scenarios but I will test it sometime soon and post my findings here.

Hello, have you made progress on your configuration?
Have a good day

Could someone post an example for the necessary NAT rule(s), please?
EDIT: got it already, at least I think so 😊

@neilewing When an interface with a CARP VIP loses carrier, all VIPs on that host are demoted. This makes the VIPs on the other node "better" and the rest of the VIPs on the first node swing to BACKUP status (because they see the "better" advertisements) and the ones on the backup node assume MASTER (because they see that they are the "best" VIP status).