@viragomann Your suggested settings worked perfectly for my setup thankyou

I would like to have more than one XMLRPC destination as well to sync firewall rules and aliases to all my nodes. A daisy chain as expected here is not a reliable solution. Many Packages (e.g. pfblocker) already allow to sync to multiple hosts so I guess the limitation is only the GUI.

@lionelmarais said in SyncNic Failing with Error 32602: I was able to sync the image with the same version That is good to hear.. what gets done and reported is two totally different scenarios lol To be honest, sadly I don't think that is something limited to any specific part of the world or agency hehahehe

@im-thatoneguy https://youtu.be/VnBnnh81G7w?t=3915 Not supported. Use SLAAC or two separate pools

@viragomann Thank you very much, that did the trick!

@erode Can you put Suricata on LAN instead? That will 1) avoid scanning any packets that would normally be blocked by the firewall anyway, and 2) show the LAN IP of devices for the alerts.

@netblues said in Secondary router in HA setup web GUI unresponsive: @bp81 said in [Secondary router in HA setup web GUI unresponsive] , or I will devise a way to harden web gui access from within the authenticated user vlan to only authorized machines. I am also considering setting up the Azure MFA extensions for NPS and just protect the web gui login with RADIUS that is itself backed by AD authentication and multifactor authentication via Authenticator app. That's not my first choice because an internet outage could lock me out of my web gui. (/post/1014732): You can always disable the antilockout rule for authenticated users lan and just allow authorised ip's A good password on top is probably all you need. AD authentication opens up another attack surface too. as for 2fa, its a very bad idea for the exact reasons you just mentioned. Now, since ip's can be changed, mac's can be spoofed how much security is enough security for you.? You could also utilise a jump-host where you could ssh and portforward remote ports when needed, or use windows and rdp to the device first, and then login to pf. This is probably a topic for another thread. We have good wifi security (RADIUS backed authentication) and pretty good physical security (ie, no one is walking in and plugging in a laptop to an open network port). We have the guest VLANs blocked for any traffic to the web gui as well. So is this good enough? Probably, for the moment. Over the years our security efforts have been focused towards external threats, but the company is getting large enough now I have to start thinking about internal actors as well. This is a conversation I'd like to have on this particular issue, because I have to start somewhere, but it's probably best to go into its own topic.

@netblues Hey netblues, thank you very much, after carefully scrolling through the VLAN config on the swtich, it appears that I did not commit my settings, after rebooting both the switch and netgates, the issue disappeared. kind regards kkit

@joezyz said in CARP/HA Multi WAN redirect each IP to LAN IP: That is exactly how I have it set up right now, and it is not forwarding. What? Port forwarding or 1:1? Should the Virtual IP be a CARP, IP Alias, Proxy ARP, or Other? I currently have it as CARP. Both CARP and IP Alias can be used. It's not necessary to add all your public IPs as CARP, since this type generates some overhead network traffic. You need at least one CARP IP, the others can be added as IP Alias and hook up on the CARP IP. Did you also add a firewall rule to allow the access? In port forwarding rules you can set associated filter rules or simply "pass" to allow the access. When using 1:1 you have to configure rules by yourself. Is pfSense the default gateway on the device you've forwarded traffic? Maybe you can post screenshots so we can verify the settings.

@hpa_support Better to use two managed L2 switches with VLANs. Then you only need 2 switches for as many VLANs as you need. A basic setup is something like: 2 x pfsense devices (i.e. CARP MASTER and BACKUP) 2 x Managed L2 switches Plan VLANs and configure on pfSense, i.e. VLAN 10 - WAN1 (provider 1) VLAN 11 - WAN2 (provider 2) VLAN 20 - LAN VLAN 30 - Phones etc Run 1 cable from each of the pfsense device to each switch (2 cables leaving each pfsense device, 4 cables in total). Configure as trunk ports on the switch so pfSense can pass traffic for any VLAN. Cross connect the two pfsense devices on another network port to handle pfsync. Now configure VLANs on pfSense on those interfaces, pfsync on the cross-connected port, you can have as many VLANs as you need (WAN, LAN, DMZ, phone, etc) without extra switches or cables now. You will want to cross-connect (or stack) the L2 switches between each other (configure as trunk ports) so they can pass the CARP heartbeat as well as any other VLAN traffic across switches. Consider enabling spanning tree on the switches to save yourself some frustration if you accidentally create a loop.

@cjbujold providing the details of what exactly was the problem and how you solved it could help someone in the same boat in the future.

@pfsense2090 Basically you need at least 3 IPs for CARP in each network. One for each box and one CARP VIP. So you should have 3 public IPs on each WAN for proper functionality. Though it is possible to set it up with a single public IP and use private IPs on the boxes, it might be tricky and have disadvantages. What is your DSL WAN, a PPP or DHCP? Both are not compatible with CARP. So you probably have to use another router on this line.

I managed to get redirects working but it redirects to private service address which is obviously not accessible from outside [image: 1638377470084-mbamtray_2021-12-01_21-50-12.png]