It was much better before browsers started lowering the life of the cert.. You could set the cert to be good for 10 years or something and never have to worry about it again.. Now they want to have longest life of 398 days - uggghhhh.. Glad all my certs grandfathered in, hehehe And good for the 10 some years ;) [image: 1587059128910-cert.jpg]

Look at /etc/rc.carpbackup and /etc/rc.carpmaster which get run when a VIP transitions to the state matching the name of the script.

Hi! I still very much have the same problem, is there anything I can provide to help get it fixed? Can anyone confirm/infirm what the following errors would cause, is my problem consistent with it? Mar 31 15:58:04 check_reload_status rc.newwanip starting pppoe0 Mar 31 15:58:05 php-fpm 30436 /rc.newwanipv6: rc.newwanipv6: Info: starting on pppoe0. Mar 31 15:58:05 php-fpm 30436 /rc.newwanipv6: rc.newwanipv6: No IPv6 address found for interface WAN [wan]. Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: rc.newwanip: Info: starting on pppoe0. Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: rc.newwanip: on (IP address: ddd.eee.fff.ggg) (interface: WAN[wan]) (real interface: pppoe0). Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.200'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.201'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet ' aaa.bbb.ccc.202'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.203'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.204'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.205'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.206'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.207'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:06 php-fpm 30436 /rc.newwanip: Default gateway setting Interface WAN_PPPOE Gateway as default. Mar 31 15:58:06 php-fpm 30436 /rc.newwanip: Gateway, none 'available' for inet6, use the first one configured. '' Mar 31 15:58:21 php-fpm 30436 /rc.newwanip: Ignoring IPsec reload since there are no tunnels on interface wan Mar 31 15:58:21 php-fpm 30436 /rc.newwanip: Resyncing OpenVPN instances for interface WAN. Mar 31 15:58:21 php-fpm 30436 /rc.newwanip: RRD create failed exited with 1, the error is: ERROR: you must define at least one Data Source Mar 31 15:58:21 php-fpm 30436 /rc.newwanip: RRD create failed exited with 1, the error is: ERROR: you must define at least one Data Source Mar 31 15:58:21 php-fpm 30436 /rc.newwanip: Creating rrd update script Mar 31 15:58:23 php-fpm 30436 /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - ddd.eee.fff.ggg -> ddd.eee.fff.ggg - Restarting packages. It looks like every server which has a virtual IP has an issue of some kind after my Internet connection is reestablished.. There is a ticket open about this but it has not received any love in 2 years... See: https://redmine.pfsense.org/issues/8413 Thank you and have a nice day, Nick

Hooray! I got it working. Listening to music over VPN, through RDP, you only hear the sound cut out for maybe 0.5 seconds after a failover now. Was just an issue with the way I was testing my Public IP's offline. (Spoofing them internally + double nat lol)

@pete-s It works. You can choose to monitor a carp-interface, in which case haproxy will only run on the node that is 'master'.. Otherwise it will run on both, and perform health-checks from both. If you have stick-tables you want to keep synced youl need to have it running on both nodes, and the sync configuration could be a bit tricky (not really supported in the webgui though with some manual advanced texts there is almost nothing thats impossible ;) ..), Anyhow if you are only requiring that haproxy runs with the same config on both nodes that should be easy.. Just make sure to enable the 'config sync' checkbox only on the master node. p.s. in any case, all active connections will 'break'.. and need to be re-established when a failover happens.. it wont transfer the tcp-connection-states

@jimp @bbrendon hello guys, i have this issue !! do you have any suggestions ?? Exactly how you describe it... in the middle of the night , random hours, can happen also with low traffic and no traffic. How do you fix that ?

Interesting, 00:00:00.294065 IP xx.xx.xx.19 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 0, authtype none, intvl 5s, length 36 00:00:00.715554 IP xx.xx.xx..19 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 0, authtype none, intvl 1s, length 36 If i change the frequency, looks like the deamon stays alive an starts a new one and i see the old and new times, so maybe a prio0 stays broadcasting also during a failover? 00:00:00.574783 IP xx.xx.xx..19 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 240, authtype none, intvl 1s, length 36 00:00:01.965796 IP xx.xx.xx..19 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 240, authtype none, intvl 1s, length 36 00:00:01.363018 IP xx.xx.xx..19 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 0, authtype none, intvl 1s, length 36 00:00:00.583826 IP xx.xx.xx..19 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 240, authtype none, intvl 1s, length 36 00:00:00.283089 IP xx.xx.xx..19 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 0, authtype none, intvl 1s, length 36 00:00:00.845702 IP xx.xx.xx..19 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 0, authtype none, intvl 1s, length 36 00:00:00.827872 IP xx.xx.xx..19 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 240, authtype none, intvl 1s, length 36 Thats what its doing, so the backup is not responding... (this is when maintenance mode is clicked)

It survived also the CARP Maintenance and the upgrade of both units, without the Port Forward NAT. The only issue is that in this way OpenVPN Client (to a VPN Service) binded to WAN interface will start on both nodes because both will have connectivity. Solution is to bind to a real CARP VIP like LAN and it correctly starts only on the node where LAN is MASTER.

admin please close this thread. minimum 3 IP's for CARB. Thanks everyone for support.

I have just realized that I had the mtu set to 9000 everywhere except on the routers. Setting it to 9000 on the routers solved the problem...

I'd get an ISP that is willing to do things right. Just sayin'. I'd pcap and see exactly what's happening. Maybe they have something silly like an inability to ARP for more than X IP addresses per MAC address or something. It is almost certainly NOT the pfSense software.

@jimp said in DHCP Server wrong IP CARP: On the primary, add the secondary interface address in each active DHCP server tab. Yup, did that! Thanks both of you - I didn't realize it was supposed to be that way, and although I've read the HA docs a number of times I guess I missed the part where DHCP server address would show as the actual IP of the box, not the VIP. Thank you! Cheers Tiwing

OK forget it. I was messing around and disabled, then re-enabled guest interface on both primary and secondary and problem is now gone. I can't explain why, but ..... woohooo! mods, you can close or outright delete this thread! cheers

We are having L3 switches and I can't find anything about that... I'm thinking more and more that our pfSense appliance is having a hard time with the traffic!

Thank you, I'm going to look at all this documentation and I'll come back to tell you the solution to the problem or more specific questions for more specific help.