@netblues That page does not say that... But it does link to the a page hinting at this: https://docs.netgate.com/pfsense/en/latest/highavailability/index.html#switch-layer-2-concerns While "CARP VIPs each have their own unique MAC address derived from their VHID" "At minimum, the switch must... Allow the CARP VIP MAC address to move between ports." Thanks! I think I am beginning to understand this...

@netblues duuuh. Thanks. That s embarrassing. I completely missed that pkg on my list to be manually installed. Thanks!

Never mind, a reboot solved it. -nic

@viragomann said in Multiple VLANs in HA config: So ensure the VLAN is also properly configured on the switch. omg , so stupid :) Thx it all works now

@jnpetty When you ping the CARP VIP from a connected device, it will first send an ARP request which the master should respond to. So to investigate, sniff the traffic and check for ARP packets and if pfSense sends a respond. If there is no ARP request, check the ARP table on the device you're pinging from for an already existing entry.

@tboston What's the mismatch? It is also possible to save/back up the config, edit the XML file, and do a restore. But it should be possible to edit/assign interfaces in the web GUI.

sorry both hosts are 6.5u3

@mauro-tridici said in Question about multiple WAN CARP VIPs: So, if I understand your messages correctly, I can add additional public virtual IPs as "IP alias" on top of existing CARP VIP Yes. At interface select the CARP VIP from the drop-down. even if is the usage of HAproxy is a better solution What does this mean? Could you please confirm that the assignment of multiple WAN IPs addresses (x.x.x.1,x.x.x.2,x.x.x.3,x.x.x.4,x.x.x.5,x.x.x.6) belonging to the same subnet will be not a problem? All right. Refer to the docs: Virtual IP Address Feature Comparison Remember that you have to configure the outbound NAT manually to use the CARP VIP instead of the primary interface IP.

@misterto WAN 1: WAN Subnet: 161.12.60.232/29 ISP Gateway: 161.12.60.233 Routed Subnet: 161.12.51.32/29 Shared CARP VIP: 161.12.60.236 WAN 2: WAN Subnet: 161.12.60.240/29 ISP Gateway: 161.12.60.241 Routed Subnet: 161.12.51.40/29 Shared CARP VIP: 161.12.60.244 Firewall 1: WAN 1 Interface: 161.12.60.234 WAN 2 Interface: 161.12.60.242 Firewall 2: WAN 1 Interface: 161.12.60.235 WAN 2 Interface: 161.12.60.243

I am having the same problem. As my primary HA member is the one on 21.7 and the secondary is on 21.8, I tried to download the configuration xml and change from 21.8 to 21.7 and then restore the configuration. This didn't work. I can try and switch the primary from 21.7 to 21.8 (after setting it to backup with carp) but will have to do it outside operating hours, as it scares me pretty good. Does anyone else have any feedback on what might be causing this? This seems a pretty significant issue that 21.8 isn't even an acknowledged version and my primary system has no knowledge of there being an update.

@marama said in HA + VIP + MultiWAN Issue (no internet on slave): @keyser ok, will do. I'm a bit afraid of removing the "any", since I need to be sure to include all the relevant networks in the alias. Do I also have to include the ipsec and openvpn networks, translations/mapping networks... ? Is there a way to leave "any", but then have explicit NAT rule handle the firewall traffic? Yes, you need to have vpn networks and such in the alias as Well. I normally always make an alias called private networks i use for stuff like that. It contains: 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 That way any private (internal thing - including future uses) is covered - But not the FW and its public addresses. Btw - that same alias is Very good in internet access allow rules instead of ANY. Use it as destination with the NOT (!) feature.

@kd Ah, I think using your own modem it is intended as a passthrough. Around here, business Comcast accounts provide the 10.1.10.x subnet and NAT. Useful for plugging in a laptop to bypass the client's router, to test. My home modem is accessible at 192.168.100.1 but I don't think it provides NAT out. It doesn't have a "bridge mode" setting as it just passes the public IP through to my router or a laptop.

@Foxi352 Thank you for the links. I see, it is a difficult issue. I wish they had the CARP as option to take the functionality of a virtual interface (with DHCP/MAC, etc) , rather than just IP. So this can be shared between the firewalls. It seems i have few issues: DHCP - perhaps setting WAN as static IP would work untill the next lease, need to check MAC spoofing.. Not sure how to handle this for the two interfaces. Folks seem to use some scripts to have the interface UP and down Perhaps I will manually plug the WAN cable when needed , if i can not find a workaround :). thanks for your time

@wesleywillis said in VIP setup for web hosting: I confirmed that I only get that block as described under 'Simple IP Subnet on WAN': Yes, in this case you'd probably better go with Proxy ARP, so you can cover the whole subnet with a single VIP assignment. It is a good way, when you want to forward the whole subnet behind pfSense. So I'm assuming it's easiest to just setup NAT 1:1 as such: External IP: 1.1.1.3/26 Internal IP: 10.0.10.3/26 Possibly you may have to state the network address here, when using network type.