I think I may have found the issue. Both device their selves were in the NAT range tied to the single VIP. I believe the secondary box was communicating out, but any reply went back to the primary box. I found a NAT setting to map "This Firewall" to it's WAN interface address and not the VIP. That seems to have worked on both devices. I did have our upstream provider NAT all to the same public IP: VIP x.x.x.1 Device 1 x.x.x.2 Device 2 x.x.x.3 Thank you all for the help!

what is your point ? my carp setup does work. i have multiple machines in each vlan. no problem there. i can shutdown either firewall and unplug any cable without producing a mess. i had disabled pfsync in some previous tests which is why using the carp address as the gateway is required. am i expected to configure a LAN interface as the first interface and use the LAN address as the failover peer for each of the dhcp server instances ? this would be meaningful indeed. but in that case, it may be worth to drop a line in the documentation and there is little to no point in setting the same address for each dhcp instance.

@netblues Yeah you were on the money. Bound the OpenVPN client service to the CARP WAN VIP and failover/failback operates perfectly - as does all everything else. Perfect, thank you :) (better check my settings more thoroughly next time ;) )

I just updated my test vms to 2.4.4-RELEASE-p1 and from what I can tell the issue has been fixed! I now get the client-hostname on the master and the backup

Hi jimp, Thanks for this. This stopped me making a big mistake (not adding new switches to the purchase list) and potentially wasting hours trying to work out why CARP wasn't working. It will also save me the hassle of arranging with Virgin for an upgrade we don't need. I do actually now remember reading in the pfsense book that the switches must be checked for multicast support. However, the text didn't properly register until your reply. Thanks again for your help and patience.

@everyonelovescheese : Thanks for updating the thread with your final outcome i.e. getting new IPs. It helped me by closing the subject down at my end as not currently viable and allowing me to move on.

Thanks, this was the trick!

i've solved the problem. its very similar to bridge behavior i encountered in another installation. I only have vlans defined for my LAGG. once i created another interface that would be untagged on the LAGG, it picked up my native vlan as expected. all of the VIPs for the tagged interfaces started working. so just for my own curiosity i deleted the native interface i crated and rebooted. everything still works. all in all i must have just jiggled the handle

No idea you are obfuscating too much to see what you're actually doing.

If the switch is not learning CARP VIPs from the CARP advertisements it is probably some sort of multicast "feature" on the switch. If the switch is receiving traffic from that MAC address it needs to: Remove that MAC address from all other ports Add the MAC address to the port it was received on If that is not happening, it's a problem with the switch.

That (now-deleted) reply was totally to the wrong thread. Sorry. Well, right, you should not have a /25 on your WAN interface. You should have a much smaller subnet there and the /25 should be routed to you. If that was the case, as strange as it sounds, .0 and .127 would be valid NAT addresses. In order to use something other than round robin you must use type subnet. If you can use round robin, just define a host alias using a range and NAT to that.

The backup needs to make requests to do things like check for updates.

I think the XMLRPCSync is working, there are no errors. All changes are visible in the ipsec user interface of the second node and if I make a "diff" of the configuration-backup XML of both nodes... all ipsec changes are included in the configuration of the second node. There must be an additional step after the XMLRPCSync which transfers the changes to "/var/etc/ipsec/ipsec.conf" and that fails or is not executed... Because after a reboot the file is "in-sync" with the configuration. Is it possible to change the debuglevel somewhere or add log output to the php source code?

Going to have to slow down and take things one at a time. When you put your primary WAN interface on one address, your secondary WAN interface on another, and your CARP VIP on the third, is the Primary the CARP MASTER, and the Secondary the CARP BACKUP? You can packet capture on your WAN to see if anyone else is using CARP/VRRP. That's pretty much the only way to know.