Solution: I connected the two PFS with a virtual Switch (VXLAN+IPSEC). For this i had to lower the MTU to 1360. Unfortunatelly the Adapter in PFSense was set to 1500 and not appling for the new MTU. Setting down the MTU (in my case to 1360) manually in the SYNC-Interface-Options solved the problem.

@Snailkhan Have never seen that. Only one is Master? You’re NATting to the shared LAN IP? What is that for?

@Snailkhan Ensure that all interface pairs can communicate with the respective other node.

@Snailkhan By default the primary interface IP is used for communication with other devices. If you want pfSense to use the CARP VIP you have to add an outbound NAT rule to LAN or the respective interface and set the CARP VIP as translation address. However, don't do this for any traffic! It would lead into issues with services running on both nodes, e.g. DHCP. So limit the destination (IP and port) to the domain controller or whatever you need it for.

@SteveITS I would prefer not to add more gear for now, since this is temporary until I have two pfSense units and CARP. Maybe I'll just have both connected, but configure the 2nd one in case of longer downtime then.

i have the exact set up but not able to sync

@louis2 I think separate back-ends for IPV4 and IPV6 are not necessary not even a good idea since the proxy has two completely isolated connections. One to the front end, one to the server. So I decided to handle all server related connections via IPV4 since local IPV4 can not be reached from the internet. That action already reduced the number of backends by a factor two

@louis2 I worked around the problem by defining the mail-server addresses in my local DNS and using those names in the GUI. Never the less it is definitively not OK Also note that I had the problem back when switching the health check on (to basic). Even more obscure switching the problem did persist when switching the health check off again. No idea how the check should be done since there is no proper field to define the health check port number.

Up

from wan2, i can ping common website when the both wan are connected. But when wan1 is disconnected, everything is very slow and i can't ping anything : [image: 1729167097512-screenshot-2024-10-17-140902.png]

@accidentallyadmin pfSense can only translate the source address to the stated IP. Maybe your ISP does an additional translation, but this is unusual if you have a public IP already. You can verify the function of your outbound NAT rule by sniffing the traffic on WAN (Diagnostic > Packet Capture). The outbound NAT rule is the last in the pipe, before packets leave the firewall. See Firewall/NAT Processing Order Example for details.