@beloc The short answer is yes you can edit the config file and upload. This can happen if interfaces are added out of order or inconsistently. Note the visible name label (MGMT below) is not necessarily the same as the internal name in the config file (opt4 below). <opt4> <descr>MGMT</descr> <if>igc3</if> <enable/> <spoofmac/> <ipaddr>x.x.x.x</ipaddr> <subnet>24</subnet> </opt4> Rules use the "opt4" name. States use the "igc3" name if "Interface Bound States" are used. If you find & replace just be careful to not replace strings in other places such as certificates.

@Jdwind I just meant, maybe duplicate their routing in the example.

@louis2 When you click on the three points on the upper right side, there should be an option to start a chat.

@louis2 [image: 1764426797353-cc6d5848-ab46-499c-bd4e-4021f820d63f-image.png] How about custom? and then an action. Yes it is not intuitive or easy, and no, I don't have that much experience on that, but the options exist.

So I disconnected the backup device and my network is back to normal (even though I haven't removed the CARP and HA settings yet). Just for the sake of testing, I configured two identical Steelheads CX770s with Opnsense and got the same results as with pfSense. I get the same results with two sets of completely different hardware! How can this be possible?! I thought it was the connection to the switch (since both firewalls connect to the same stack) but as soon as I remove the backup unit from the HA setup, all network connectivity is restored. Has anyone here encountered this problem before? Martin M. Mune US Army Combat Veteran Operation Iraqi Freedom Volunteer Soldier International Legion for the Defense of Ukraine Слава Україні! Героям Слава!

@UserCo I'm seeing something similar. I've had terrible luck with keadhcp in HA mode. It works, until it randomly doesnt. This last time for me the logging just stopped a day or two before I noticed and the last message was that it couldnt reach the HA partner. The web UI showed that everything was fine, restarted the services on both nodes and that did nothing. Ended up rebooting both to get it back.

@AaronH said in HA WAN Configuration - The first router to boot occupies all available IP's on the WAN interface: When connecting the HA cluster, the first router to boot claims all of the available IP's on the subnet So did you assign all available IPs to the router? If we connect two laptops with the same IP addresses to the Comcast network, both can function as expected with no issues. Both with the same IP??

@timowevel Was there any solution? I am currently getting the same issue: XMLRPC Error A communications error occurred while attempting to call XMLRPC method host_firmware_version: Unable to connect to tls://10.0.1.3:443. Error: stream_socket_client(): Unable to connect to tls://10.0.1.3:443 (Unknown error) stream_socket_client(): Failed to enable crypto stream_socket_client(): SSL: Handshake timed out @ 2025-10-21 12:36:54 Primary Node shows errors Self-Signed Certs on both ends. Ping works both ends HTTPS Port Responds at both ends. NTP is in sync 2.8.1-RELEASE (amd64) built on Tue Sep 9 12:29:00 EDT 2025 FreeBSD 15.0-CURRENT

@Deputize2180 Unicast is most probably the only viable test, but I doubt it will fix things. Most probably the isp modem has issues with carp and will never work properly. I'm not aware of any other tunable options too. (and I do hope I'm wrong)

[image: 1760762744141-28314b2f-5d26-45d9-b6ae-381f978856b4-image.png] [image: 1760762785716-ee139398-adef-4d64-8ce4-bba8cce70782-image.png] config-pfSense.home.arpa-20251018044835.xml.zip u/p=admin/pfsense In case you are installing in the VM just import the machine into the Virtualbox, and install 2.8.1, then apply configuration. pfsense28_small_export.7z Should be resulted in: [image: 1760763171045-f75dffbe-bbb2-4f11-87bb-4739d1928c76-image.png] vtnet0: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: wan2 options=900b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,LINKSTATE> ether 08:00:27:9d:bc:aa inet 10.0.2.15 netmask 0xffffff00 broadcast 10.0.2.255 inet6 fe80::a00:27ff:fe9d:bcaa%vtnet0 prefixlen 64 scopeid 0x1 inet6 fd17:625c:f037:2:a00:27ff:fe9d:bcaa prefixlen 64 autoconf pltime 14400 vltime 86400 media: Ethernet autoselect (10Gbase-T <full-duplex>) status: active nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> vtnet1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 options=4800bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE,TXCSUM_IPV6> ether 08:00:27:f9:2b:76 inet6 fe80::a00:27ff:fe9d:bcaa%vtnet1 prefixlen 64 scopeid 0x2 media: Ethernet autoselect (10Gbase-T <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> vtnet2: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: SYNC options=800b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE> ether 08:00:27:77:b8:2c inet 10.0.222.1 netmask 0xffffff00 broadcast 10.0.222.255 inet6 fe80::a00:27ff:fe77:b82c%vtnet2 prefixlen 64 scopeid 0x3 media: Ethernet autoselect (10Gbase-T <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> vtnet3: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 options=4800bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE,TXCSUM_IPV6> ether 08:00:27:42:e3:96 inet6 fe80::a00:27ff:fe9d:bcaa%vtnet3 prefixlen 64 scopeid 0x4 media: Ethernet autoselect (10Gbase-T <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> vtnet4: flags=1008802<BROADCAST,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 options=4c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,TXCSUM_IPV6> ether 08:00:27:67:ea:41 media: Ethernet autoselect (10Gbase-T <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> enc0: flags=0 metric 0 mtu 1536 options=0 groups: enc nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384 options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> inet 127.0.0.1 netmask 0x0 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 groups: lo nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> pflog0: flags=100<PROMISC> metric 0 mtu 33152 options=0 groups: pflog pfsync0: flags=1000041<UP,RUNNING,LOWER_UP> metric 0 mtu 1500 options=0 syncdev: vtnet2 syncpeer: 10.0.222.1 maxupd: 128 defer: off version: 1400 syncok: 1 groups: pfsync lagg0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: LAN options=4800bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE,TXCSUM_IPV6> ether 08:00:27:42:e3:96 hwaddr 00:00:00:00:00:00 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::a00:27ff:fe42:e396%lagg0 prefixlen 64 scopeid 0xa inet6 fe80::1:1%lagg0 prefixlen 64 scopeid 0xa laggproto failover lagghash l2,l3,l4 laggport: vtnet3 flags=5<MASTER,ACTIVE> groups: lagg media: Ethernet autoselect status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> lagg1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 options=4800bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE,TXCSUM_IPV6> ether 08:00:27:f9:2b:76 hwaddr 00:00:00:00:00:00 inet6 fe80::a00:27ff:fef9:2b76%lagg1 prefixlen 64 scopeid 0xb laggproto failover lagghash l2,l3,l4 laggport: vtnet1 flags=5<MASTER,ACTIVE> groups: lagg media: Ethernet autoselect status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> vtnet0.87: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: wifiap options=80000<LINKSTATE> ether 08:00:27:9d:bc:aa inet 10.0.87.2 netmask 0xffffff00 broadcast 10.0.87.255 inet 10.0.87.5 netmask 0xffffff00 broadcast 10.0.87.255 vhid 3 inet6 fe80::a00:27ff:fe9d:bcaa%vtnet0.87 prefixlen 64 scopeid 0xc inet6 fe80::1:1%vtnet0.87 prefixlen 64 scopeid 0xc groups: vlan carp: MASTER vhid 3 advbase 1 advskew 254 peer 224.0.0.18 peer6 ff02::12 vlan: 87 vlanproto: 802.1q vlanpcp: 0 parent interface: vtnet0 media: Ethernet autoselect (10Gbase-T <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> pppoe0: flags=1008851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1492 description: WAN options=0 inet6 fe80::a00:27ff:fe9d:bcaa%pppoe0 prefixlen 64 tentative scopeid 0xd groups: pppoec nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

@SteveITS I 'm fully aware that a virtual ip doesn't have its own interface etc. It just BEHAVES as if it had one. obviously , yes carp is operating correctly. [image: 1760670558061-ec557a82-5566-49bd-8e9e-87179c7ab9f7-image.png] [image: 1760670587951-4d4c2cc1-e78d-4ba9-af33-9753c8c19cae-image.png]

@chiefsfan Can you post the config for the carp? Anything so someone else can verify all looks correct.

@patient0 lmao yea I forgot to check the box thanks. As for the original post "User privileges ( admin group ) don't sync" issue. I went and tested again on the latest pfsense plus 25.07.1-RELEASE and the issue is resolved. The issue wasn't happening on CE and I tested to confirm that it's not happening on 2.8.1 so all good here.

So I'm back where I started following https://forum.netgate.com/topic/149472/solved-remote-dns-not-working-over-ipsec As WAN is not selected primary works, internal and external dns is reliable Secondary is slow on the webinterface and has basically no DNS nslookup google.de ;; communications error to 127.0.0.1#53: timed out ;; Got SERVFAIL reply from 127.0.0.1, trying next server ;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused ;; no servers could be reached So the secondary firewall is basically not listening to dns requests at all. As I removed now all DNS server on general settings to only use the root servers. (Identical behaviour for snmp monitoring, only the primary firewall can be monitored.)

@wmw509 what did you set as the 'Address' in the 'Translation' section, the WAN CARP VIP? Did you set up HA on WAN and LAN? Can you post the relevant infos, like IPs/Subnets used for WAN and LAN, pfSense Version used, hardware or VMs, how is WAN getting the IP?

@girkers said in Best way to set up and maintain a cold spare for pfSense 2.8.0 CE: How do others handle maintaining a cold spare so it’s ready to go at short notice? On my cold spare I load the current version of pfsense (and maintain it in the current series so configuration import is compatible) Load the configuration from the main unit. Most easily done via the GUI so interface reassignment can be easily seen. This is do both so plug and play will probably work but also as a dry run in-case a newer configuration has to be loaded in a hurry. Back up the main units configuration to a location accessible without a functioning pfsense router (to enable use during an emergency restore). I actually use my cold spare for other things when not needed as a router by running pfsense under Proxmox but configuring dual boot would achieve similar functionality