@jnpetty
When you ping the CARP VIP from a connected device, it will first send an ARP request which the master should respond to.

So to investigate, sniff the traffic and check for ARP packets and if pfSense sends a respond.
If there is no ARP request, check the ARP table on the device you're pinging from for an already existing entry.

@tboston What's the mismatch?

It is also possible to save/back up the config, edit the XML file, and do a restore. But it should be possible to edit/assign interfaces in the web GUI.

sorry both hosts are 6.5u3

@mauro-tridici said in Question about multiple WAN CARP VIPs:

So, if I understand your messages correctly, I can add additional public virtual IPs as "IP alias" on top of existing CARP VIP

Yes. At interface select the CARP VIP from the drop-down.

even if is the usage of HAproxy is a better solution

What does this mean?

Could you please confirm that the assignment of multiple WAN IPs addresses (x.x.x.1,x.x.x.2,x.x.x.3,x.x.x.4,x.x.x.5,x.x.x.6) belonging to the same subnet will be not a problem?

All right.

Refer to the docs: Virtual IP Address Feature Comparison

Remember that you have to configure the outbound NAT manually to use the CARP VIP instead of the primary interface IP.

@misterto

WAN 1:

WAN Subnet: 161.12.60.232/29
ISP Gateway: 161.12.60.233
Routed Subnet: 161.12.51.32/29
Shared CARP VIP: 161.12.60.236

WAN 2:

WAN Subnet: 161.12.60.240/29
ISP Gateway: 161.12.60.241
Routed Subnet: 161.12.51.40/29
Shared CARP VIP: 161.12.60.244

Firewall 1:

WAN 1 Interface: 161.12.60.234
WAN 2 Interface: 161.12.60.242

Firewall 2:

WAN 1 Interface: 161.12.60.235
WAN 2 Interface: 161.12.60.243

I am having the same problem.

As my primary HA member is the one on 21.7 and the secondary is on 21.8, I tried to download the configuration xml and change from 21.8 to 21.7 and then restore the configuration. This didn't work.

I can try and switch the primary from 21.7 to 21.8 (after setting it to backup with carp) but will have to do it outside operating hours, as it scares me pretty good.

Does anyone else have any feedback on what might be causing this? This seems a pretty significant issue that 21.8 isn't even an acknowledged version and my primary system has no knowledge of there being an update.

@marama said in HA + VIP + MultiWAN Issue (no internet on slave):

@keyser ok, will do.
I'm a bit afraid of removing the "any", since I need to be sure to include all the relevant networks in the alias. Do I also have to include the ipsec and openvpn networks, translations/mapping networks... ?
Is there a way to leave "any", but then have explicit NAT rule handle the firewall traffic?

Yes, you need to have vpn networks and such in the alias as Well.
I normally always make an alias called private networks i use for stuff like that.
It contains:

192.168.0.0/16
172.16.0.0/12
10.0.0.0/8

That way any private (internal thing - including future uses) is covered - But not the FW and its public addresses.
Btw - that same alias is Very good in internet access allow rules instead of ANY. Use it as destination with the NOT (!) feature.

@kd Ah, I think using your own modem it is intended as a passthrough. Around here, business Comcast accounts provide the 10.1.10.x subnet and NAT. Useful for plugging in a laptop to bypass the client's router, to test.

My home modem is accessible at 192.168.100.1 but I don't think it provides NAT out. It doesn't have a "bridge mode" setting as it just passes the public IP through to my router or a laptop.

@Foxi352

Thank you for the links. I see, it is a difficult issue. I wish they had the CARP as option to take the functionality of a virtual interface (with DHCP/MAC, etc) , rather than just IP. So this can be shared between the firewalls.

It seems i have few issues:

DHCP - perhaps setting WAN as static IP would work untill the next lease, need to check MAC spoofing.. Not sure how to handle this for the two interfaces. Folks seem to use some scripts to have the interface UP and down

Perhaps I will manually plug the WAN cable when needed , if i can not find a workaround :).

thanks for your time

@wesleywillis said in VIP setup for web hosting:

I confirmed that I only get that block as described under 'Simple IP Subnet on WAN':

Yes, in this case you'd probably better go with Proxy ARP, so you can cover the whole subnet with a single VIP assignment.
It is a good way, when you want to forward the whole subnet behind pfSense.

So I'm assuming it's easiest to just setup NAT 1:1 as such:
External IP: 1.1.1.3/26
Internal IP: 10.0.10.3/26

Possibly you may have to state the network address here, when using network type.

@viragomann

Your suggested settings worked perfectly for my setup thankyou👍 👍 👍

I would like to have more than one XMLRPC destination as well to sync firewall rules and aliases to all my nodes.
A daisy chain as expected here is not a reliable solution.
Many Packages (e.g. pfblocker) already allow to sync to multiple hosts so I guess the limitation is only the GUI.

@lionelmarais said in SyncNic Failing with Error 32602:

I was able to sync the image with the same version

That is good to hear..

what gets done and reported is two totally different scenarios lol

To be honest, sadly I don't think that is something limited to any specific part of the world or agency hehahehe