No. Each node in an HA cluster needs to have the same set of WANs, you can't fail over for a gateway event.

@rico Thank you very much

0_1552590318279_dump.pcap

Set persistent CARP maintenance mode on the primary.

Status > CARP.

If you ALWAYS want the primary to boot into maintenance mode there is no supported way to do this, but you can install the shellcmd package and sort of force it.

You could install the Shell Command package (Will be in Services > Shellcmd after installation) and try to run this as a shellcmd.

/usr/local/sbin/pfSsh.php playback enablecarpmaint

Note that this will not discriminate as to the reason for the restart. Every time the system boots, it will set CARP Maintenance Mode.

You can fail back using the Leave Persistent CARP Maintenance Mode button in Status > CARP.

This is not really supported but might be a reasonable workaround for the issue you are describing.

Please let us know if this has the desired effect. I tested on 2.4.4-p2.

0_1552088536717_966800f6-15ee-44ad-81fc-726d447af955-image.png

Nice!
The ee editor is built in but if familiar with nano no reason not to install it. Also there's vi.....

Steve

Why would you not just resolve abc.def.com to 192.168.1.50 in the first place for devices behind pfsense...

I did the packet capture like you suggested, and I saw DNS requests coming over the VPN tunnel but nothing that was destined for the Internet. That got me thinking, so I checked my default route while connected to the VPN. Sure enough, the default route was to the local network gateway (instead of the VPN connection). I dug through my VPN settings a little and found that the "Use default gateway on remote network" wasn't checked. Checked that box, reconnected, and now it works!

@Derelict thank you for your help! ^_^ I was banging my head against a wall trying to figure this out lol

Documenting my solution:

Go to the interface settings for the VPN interface Go to the Networking tab and open IPv4 properties Open the Advanced window and check the "Use default gateway on remote network"

Hi Derelict.

Was able to get this setup. Worked a treat, easy as! Thanks for your help

Cheers
Mitch.

Well it is going to need at least a sync cable to sync over.

You might also want to disable XMLRPC sync on the restored primary until you are ready to do that too. Or ifnore that error.

If it is supposed to be syncing and cannot, you'll have to work out why there is no connectivity between the two.

Well that was it ! Thanks a lot for the help !

@capitanblack Would you be able to share the python script? Would be super helpful. I am encountering the same issue with OVH IP failover.

Understood
Thanks for taking time to respond.

@derelict
nope, the only warning which i got was one of the pfblockerng package. There was a faulty url in one ASN rule i have installed for another purpose...

The number of CARP VIPs and the number of interfaces are completely unrelated problems, but thanks for the note.

Sounds like whatever is between those two nodes on those interfaces is not passing the CARP advertisements properly.

Apologize for that. I have seen so many examples of setting up carp with VM's it didn't cross my mind about promiscuous mode.

Hey @jimp, thanks for your answer!

In the secondary I'm injecting what I believe are the only required (counterpart/secondary) HA settings:

0_1549965184651_Screenshot 2019-02-12 at 10.51.54.png

Are these sufficient? The only changes I can see after hitting sync on the webUI are:

Replacing the bcrypt-hashes for those in the master. This might be important? Removing ipsec, aliases, wol and openvpn, empty fields. Adding all the vips as they're defined in the master.

Also tried rebooting them both (it's actually one of the steps I defined for the deploy process to catch up with the synthetic config) but no luck.

However, as you point out, running rc.filter_synchronize did work for me - I can just include it as an additional action over SSH for the master node. Nice! Was looking for something just like that.