@gpfsenser I've also added a 'gateway group' to see if this helps - seems to be a requirement to the fix. Even if it works, this certainly falls into the 'super ugly' category. Appreciate the quick reply. Everyone is using their home internet more than they ever expected - a good opportunity I hope for pfsense to polish off some of the rough edges.

@mecjay12 This solution only works for the secondary, but you still not able to access the primary, when the secondary is the master and runs the OpenVPN server. What I suggested works for both.

@jegr Correct, it appears that pfsync/state sync was configured originally but they missed out the config sync. After that, all changes/additions were made on the secondary firewall for some reason. Looking at it today, there are 5 virtual IPs/CARP IPs setup already but the secondary firewall has been put into "Persistent CARP Maintenance Mode" at some point too.

@xlameee If the gateway is up depends on the setup. If each box has an IP in within the gateway subnet it should be up though. However, it have to be up on the box which has the master rule at all.

@smith-0 said in BGP with CARP and two ISP: With this setting I have one feed to each ISP and I don’t have to wait for BGP rebuild in case of failure of one PFSense. Should read : With this setting I have two feeds from both PFSense to the ISP and I don’t have to wait for BGP rebuild in case of failure of one PFSense.

Hello, I'm experiencing the same config and difficulties. Two PFsense (2.4.5p1) with CARP and two ISPs. Have to annonce a network, with the "set nexthop" to external CARP IP. But is it correct with openbgp to have the same network announced twice but with a different set nexthop ? Eg (with RFC 1918 addresses) : 10.10.10.0/24 set nexthop 192.168.1.1 10.10.10.0/24 set nexthop 172.16.1.1 (or here https://forum.netgate.com/topic/51849/openbgp-with-carp-nexthop-carp-ip-carp ) Or will openbgp drop the second network announce ? Thanks.

Alright man ofc that makes perfect sense. Many thanks for your reply.

@kom I'm using VMware ESXi v.7 (latest update). I really don't understand why I'm experiencing this strange behaviour. May be the problem related to the pfsense version I'm using (the latest one - v.2.5.2 community edition). I think that promiscuous mode should detect neighbours traffic, maybe it's normal. But something is wrong in pfsense that shows neighbours traffic also in STATUS->TRAFFIC GRAPH-> WAN using LOCAL filter. Anyway, thank you for the time you spent for me.

@jokabo So you had just to add it as type IP alias on the master, select the proper CARP address at interface, otherwise it doesn’t failover properly.

@ultrahkr the vSwitch shouldn't matter as it's not getting an IP, the ISP won't see it. What you need to do is set static MAC on the VM's, but unfortunately you cannot do that on the CARP. So, you may have to rely on DNSRR for external items coming in, if that is the concern.

@pfsenseuser1234 Why three? There's simply too much traffic for one (over 50k requests/minute, over 2Gbps of upload). Two is enough for now, third one is just to be safe. No problem with that :) I'm guessing pfsense can handle 50k req/min for now and I would be fine with simple active-standby approach. But what if I go to 100k by the end of the year? Or 150k. I'll probably hit some limit sooner or later. That's why I'm thinking about multi-master configuration. I can understand the thought, but pfSense simply can't work in an active-active constellation. *Not only volumetric DDoS (>10Gbps to kill one VM), but also SYN floods, DNS amplifications, slow HTTP requests… I get them all. OK you could get various DDoS but the goal of all is clear: denial of service via massive flooding. Be it SYN, be it DNS, be it slow HTTPs. You can filter out some, but at the end your own firewall will give up or your upstream pipe is full. DDoS mitigation is nothing you can do on your end/site in a meaningful way. Yes you can somehow slow the process and try to mitigate the hit but with enough firepower / distribution you'll get nuked nonetheless. So if you get hit on a continuous fashion the only really helpful thing is bringing a CDN into play and (actually) try to hide the real endpoint addresses so they don't actually leak out (or the attacker will just ignore the CDN and hit the IP). That's the point where Cloudflare, Akamai or Stackpath etc. come into play. Other then bringing a CDN into play and balancing your three proxies out for traffic reasons, I don't see a quick/simple way to bump that up further. But perhaps some other can chime in. Cheers

@kom I run a ton of personal stuff at home as well Mainly CCTV and file servers, so for me its way more cost effective to run the game servers on the hardware I already have (If I was making money from this then yes id put the money back into a VPS) Also some of the game servers I run take a bit of grunt to run, so running on my own hardware is much cheaper