i have replicated topology in GNS3 Lab and have same issue:

Immagine 2024-03-27 172830.jpg

@kprovost I have now got this working, I have no idea what I did differently but on two newly built virtual machines I have it working.

It’s generally recommended to avoid using the Virtual IP (VIP) to access the GUI for security reasons. The VIP is typically exposed to more traffic and potential attacks, so accessing the GUI through it could expose sensitive administrative interfaces. Instead, it’s safer to access the GUI from a management interface or VPN that’s not directly exposed to the internet. When you route all traffic from the Test subnet through the pfSense firewall using a specific LAN IP, you’re essentially creating a single point of failure. If you want to use the VIP (10.0.2.101) and still have the traffic appear to come from the load balancer’s public IP, you’ll need to ensure that the VIP is correctly configured for outbound NAT and that the load balancer is set up to handle outbound traffic from the VIP address.

Are you using pfSense CE or Plus? I think that is my first follow up question, Plus is supposed to have some more "stuff" in it to help with IPsec failover delays, as mentioned in the docs.

It's been a while since I've had to failover a node for testing so I could be remembering wrong but I think it was near instant failover. But the docs do mention it could take until the timeout of the tunnel if the peer is the one initiating.

Do you have dead peer detection enabled and do you know if the other side of the tunnel does? That should in theory cause the peer to initiate the tunnel again quickly.

Also, as far as I can tell, the backup node in the HA cluster should become an initiator when it's status changes to Master; I'm sure it is, but can you confirm (when in failover) that the primary says Backup and the secondary says Master? Just to be 100% sure that is working.

Finally, from what I am seeing, I think it should work just as well without XLMRPC so that's the good news.

@viragomann

I watched all of netgate official tutorials.
In one of them they mention that if my setup is structured as a DMZ, the outbound NAT should be set as default:

https://www.youtube.com/watch?v=-UszV8qIaRw&t=2426s

My setup is set as a DMZ
COMCAST ROUTER -> DMZ WAN CARP IP (either pfsense1 or pfsense2)

I removed the custom NAT outbound rules pointing to the WAN CARP IP, and left it at hybrid default rules.
The DNS resolution is working now.

Besides this small mention in a tutorial from 9 years ago, I do not see anywhere else this mention about DMZ in the documentation from netgate. Either way, it is working now. I hope this helps someone else in the future.

Thank you for your help!

I checked the primary and secondary pfsense again last night. The dhcpd were on on both. I guess that is probably the intended behaviour. I see the failover dhcpd in the dhcp status page. I think I am all good. Thanks.

@reberhar Hi All

The answer was already in the forum.

https://forum.netgate.com/topic/182996/openvpn-with-ha-carp-not-connecting-on-vip

Thanks for your patience.

Roy

Ok, so scrambling round for an unused switc, i have discovered the Proxmox on its own wont do layer 2 switching.. once i plugged the 2 vPFsense into a switch they started behaving as expexted....

All the CARP HA responded as primary & backup acordingly and failover works like a charm.

@viragomann That's great, thanks for your reply. I'll be validating this forthcoming but it gives me confidence hearing it from someone else. Much appreciated.

@Yathus
We are also running two pfSense in HA mode on ESXi7. But we have no issues like this.

A view day ago the hosts were taken down for maintenance and started up again, one by the other. The master moved over to the secondary with all services, IPSec, OpenVPN, HAproxy, and back again flawlessly.

However, we don't move around the VMs from one host to another.

@Tony-Soprano said in Hybrid SSL off load and not:

yes a client has a magento installation which wont work after pfsens haproxy ssl offload.

If the client just needs to do the SSL encryption for whatever reason (HAproxy should be able to satisfy the client / backend, so that SSL offloading should be doable), an option could be to assign a private certificate to backend web instance and install the certificate also on pfSense so that it trusts the backend, or simply disable SSL checks.

You can also generate the backend certificate on pfSense with a local CA. The client cert can have a long period of validity.

Ok we do have 2 public ips so if i config a second WAN on pfsense and make 2nd frontend answer to the second public IP, i can seti it as NON ssl offload for any domain into that frontend right?

You can just assign additional IPs as virtual to the WAN interface and configure the additional frontend to listen on it. It has not to be on another interface.

Can confirm this issue occurs from 2.7.1 onwards. The GUI works as expected in 2.7.0.

@minimos We created an alias for “WAN IPs” with the three public IPs in it. (And LAN)

In essence I think you’re asking whether This Firewall will update to include the shared IP when it moves, and I don’t know the answer to that. Maybe, but I would not assume it does.

@jngo
That is a very unusual way to get additional IP addresses based on DHCP.
Typically you get a single (primary) DHCP address and all further IPs you get from the ISP are routed to the primary. So you only need to configure one DHCP interface and can easily use all the assigned IPs.

@clonian Check Diagnostics/Routes on secondary? Any chance the ISP router is locking on to the CARP IP? IOW if you remove the shared IP they should both be able to connect out on their own.

@prisonier
Yes, VRRP is very very similar to CARP. It behaves the same regarding the virtual MAC.

Glad that you got it sorted.

Hi,

i have the same issue but putting :@SECLEVEL=0 to ssl-default-bind-ciphers just gives me an error:

section 'frontend' : 'crt-list' : parsing [/var/etc/haproxy_test/imap_test-994.crt_list:1]: unknown ssl keyword :@SECLEVEL=0

is there anything i can do?

regards