Was that the entire log message? That isn't the kind of message that would come up from a privilege.

That sounds more like maybe an issue writing to the disk.

Sure there aren't any other errors?

@nogbadthebad that's what I thought initially. Thanks for confirming that

Close.

ARP responses from the firewalls are always CARP VIP ISAT CARP MAC. But those reponses are sourced from the interface MAC address, not the CARP MAC. The CARP MAC address is included in the ARP ISAT response, not the frame itself.

What steers the traffic to the proper node that holds the CARP MASTER is the fact that the CARP advertisements are sourced from the CARP MAC address. This tells the switching layer what port to send the traffic to. No traffic ever gets sourced from the CARP MAC at layer 2 other than the CARP advertisements.

This is why most CARP problems come down to switching, not pfSense itself.

@awebster
okeyyy thank youu very much

Yes, relating to CARP, VLANs behaves like conventional network interfaces.
The VIP has to be a CARP VIP.

@derelict It is amazing now I can finally shut down my DELL R210 II and upgrade the memory and remove that 12 TB HDD from there without down time, witch I was planing to do from a very long time

Thank you

Why would you want to run multiple layer 3 on the same layer 2? Its a Borked Config right out of the gate - are you in the middle of migration from that Huge /16 that makes zero sense to the more reasonable /24?

I found a work around rewriting the client dhclient.conf file, but this is not satisfying.
I guess we will have to externalize our DHCP service from PFsense, probably some dedicated isc dhcpd server with the capacity of understanding that a FQDN shouldn't get forwarded a duplicated domain name... :-(

@vigorfac said in High Avail. Sync broken:

Nov 7 12:40:18 php-fpm 51646 /status_logs_settings.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1510054818] unbound[90624:0] error: bind: address already in use [1510054818] unbound[90624:0] fatal error: could not open ports'

The above error sounds similar to this bug in pfSense, which was since resolved:
https://redmine.pfsense.org/issues/7326#note-2 (the code didn't wait long enough for unbound to stop before trying to start it again...in our case the master server was unaffected but the backup router would end up with unbound not running)

re: HA sync, we have "DNS Forwarder and DNS Resolver configurations" checked in our setup and have no sync issues. So I don't think that by itself is an issue.

Forget it, Jake. It's OVH.

Hey

The reason for the NAT is because its part of a DNS failover.
I got it working like this:
WAN1 IP: 1.2.3.4 NAT'ed to 172.10.0.1
WAN2 IP: 4.3.2.1 NAT'ed to 172.10.0.1

That way i got a WAN failover to the same server.

Hi,

yes I had the interfaces restricted - I did not want the ntpd to LISTEN on the WAN interface.

Reseting state did not help- same issue.

But attaching ntpd to the WAN interface did the trick.

Now having hybrid NAT and proper ntpd source IP.

Thanks& Greetings

Thank you, I wanted to get confirmation.

I will troubleshoot the XMLRPC sync !

I highly doubt the built-in load balancer (relayd) is going to adequately handle a handoff with Exchange. You should install the haproxy package and use that instead.

I finally found the solution 😸 YaY
On Cisco ME3400E the default port-type is UNI and it has to be set to NNI.

From official Cisco config guide:

Traffic is not switched between these ports, and all arriving traffic at UNIs or ENIs must leave on NNIs to prevent a user from gaining access to another user's private network.

@f-meunier
Seems better !
I'll let you know
[EDIT]
That works.
Thanks for the help.
Have a nice day

Hi Jimp.

Thank you, that worked perfectly. Indeed i reverted from 2.4.4 to 2.4.3 and recovered the last configuration, which causes this version mismatch.