@rivest1000 That should be fine. Sounds like you need to simultaneously capture an interesting connection on all three inside interfaces and see what there is to see. Sorry but it's something unique to your environment based on what I have so far. Are the missing FIN/SYN packets being sent to the primary while the secondary is MASTER? You're POSITIVE the zabbix hosts have the correct default gateways for the necessary traffic?

@rivest1000 Need a better description of exactly what you are saying. You should also probably start a new thread. It doesn't sound like you are talking about the well-known need to NAT from the primary when talking to the secondary over a VPN.

@piba Thanks for the reply! I will try the suggestion for Letsencrypt The Apache2 server has been configured to capture the X-Forward-For in the log file but only the gateway IP address is donut in the log file. I think it has to do with the SSL part...

@noplan yes its set for another port. My thoughts regarding this issue I have other https Server running on the other public IP's - so could it be something in this ( Allthough the DNS just point to a IP ) but it'll look like some of those settings are conflicting or something. The internal Proxy are running great and like the view of the green certificate

Flushing the State Table solved this.

@Piba So the actually solution was stopping HAproxy - issuing the missing certificates - and the create the frontends - and start the HAproxy again So the prxy answering for both insa.dk and www.insa.dk Thanks for the replys and solutions

Please describe your issue in sufficient detail.

I did select this option but all it did was prevent IMAP clients from connecting to the back-end. Could SSL on the back-end cause this?

@viragomann Thank you anyway for your help. This allowed me to identify the problem and better diagnose a routing problem. For my part, I carried out some test and I saw the change. In the routing table, without a gateway, the "use" column remains at 0. When I put the Proxmox gateway, some traffic seems to be detecting. I think it's a routing or NAT problem. Gateway : [image: 1606126325306-gw.png] Route : [image: 1606126349085-route-ok.png] According to this tutorial (in French), it should however work. The only difference is, potentially, the / 32 mask. https://voiprovider.wordpress.com/2017/03/26/la-ha-avec-pfsense-et-1-seule-ip-wan/ I will probably create another post in the "routing" category with a link to this post.

This time I was very careful to remove the carp setting from openbgpd and to only edit the (raw) config through Services -> OpenBGPD -> Raw config (tab) on each box. It doesn't seem to have been interfered with by CARP or the other box this time round. This seems to work though I've yet to do a failover test.

It's not that you need NAT for IPv6, it's that without these specific rules, traffic bound to ::1 as a source could never leave the firewall.

that looks like solution. Thank you for the quick response

DHCP Relay HA sync is not supported for now, but you can create a feature request for that: https://docs.netgate.com/pfsense/en/latest/development/feature-requests.html

thank you very much, it's more clear now