Is "Synchronize states" checked on both routers in System/HA Sync? Not having states synced would block existing connections but new connections should work. Possibly something upstream isn't liking the IP changes? Did you look at https://docs.netgate.com/pfsense/en/latest/book/highavailability/high-availability-troubleshooting.html#other-switch-and-layer-2-issues

@johnpoz said in Can HAProxy pass OpenVPN: Well for haproxy to pass it on it would have to meet your acls... So say some random guy hit your IP. Unless he was calling for your exact fqdn say host.domain.tld ha proxy would not pass it on to your server. Or whatever other acls you setup on haproxy. Thanks @johnpoz ... Do you know if HAProxy returns an error like a 401/403 or if it just drops/rejects the connection?

Hi @teamits hehe well actually I do because the SYNC network also has a few other clients behind it that require the VIP such as LAN. Basically as I mentioned on the above posts, I chose an already existing network for SYNC that has two other clients beside the pfSense machines. This is a secured network and these are administration machines with restricted access and little traffic. The documentation recommends a separate network, as I see it, for two factors: network availability and load privacy and security (as passwords aren't really encrypted) Since the chosen network complies with these requirements, it is a very restrict network with very low traffic, this network was used and hence the interface used for sync has a carp vip. Anyway, all configurations: HA, Interfaces and DHCP server etc have the peer IP directly where it belongs, not the CARP VIP. I expect this interface to work alike the other interfaces (LAN/DMZ7DATA) etc.

It does not matter what interface you are connected to when you issue that command. It demotes all CARP VIPs on that node to advskew 254. If you run that (or use enter CARP Mantenance mode in Status > CARP - which does the same thing) and you still see MASTER VIPs on that node, your HA is not properly-configured in the first place. Are all of your CARP VIPs MASTER/BACKUP before you try to put the master into maintenance mode?

Today I had an idea. I disabled the firewall with pfctl -d on the second device. Access was possible again. After syncing the config from the first to the second pfsense, I enabled the firewall again with pfctl -e. You might want to reboot your device at this point. Now it works again. I must have messed up something with the firewall rules, and it was applied to the second pfsense, and then I was locked out as well as my first firewall from the gui. I have no other explanation for my situation. You can follow the guide from the docs (found that later): https://docs.netgate.com/pfsense/en/latest/book/config/what-to-do-when-locked-out-of-the-webgui.html#disable-the-firewall also check, what @jgraham5481 said in Can't access Backup router after HA/CARP enabled: Those carp addresses should be the same subnet mask as the network they live on, ie: should be /24 if the interfaces on the master and salve firewalls are /24/

Thanks @netblues I worked out what my issue was, I made a rookie mistake when creating the VLANs on the secondary pfsense machine. The VLAN subnet should have been 192.168.150.2, but I assigned 192.168.150.1 which meant .1 was duplicated twice on the network. Once that was corrected, everything works fine now.

@jgraham5481 https://docs.netgate.com/pfsense/en/latest/highavailability/troubleshooting-vpn-connectivity-to-a-high-availability-secondary-node.html

True, but I need to "prove" that they are in sync for a 3rd party audit. So I need to show the current status of the sync.

@benrichardson_insync So its is expected to have this behaviour. Carp interfaces must be on the same broadcast domain. The master sends regular advertisements to the backups. See here for more details about the mechanism https://www.netbsd.org/docs/guide/en/chap-carp.html

"Flush all states when a gateway goes down" has to be off, otherwise states are killed even when a gateway reaches the high watermark, that has been set to down.

what is the error message you received? make sure noting broken in L2 level

It can depend on the switch/router on the other end of the cable. For instance with Comcast routers often when replacing a router in an office (inside the Comcast router) I've found it's fastest to power off or reboot the Comcast router so it learns the IP has a new MAC. If you have the second router on, and are just plugging in cables, I would wonder if restarting the second router (or just leaving it off and powering it on) would help. But overall CARP set up properly works basically instantly so that would be preferred. https://docs.netgate.com/pfsense/en/latest/book/highavailability/index.html

Fix your sync configuration. The secondary needs to be configured to accept connections from the primary using the credentials defined. This might require a firewall rule on the sync interface to allow connections from the primary. Note that on successful sync this will be replaced by the rule on the primary so that rule has to pass the required traffic as well.

No, it isn't something we are currently considering.

I meant "before" the XFinity router, not after.