@coreybrett:

If I ever run into this again and want to use the CARP option, would I need to fill in the Virtual IP Password, VHID Group or Advertising frequency when using a single firewall?

Yes, you still need to fill that in even if it's a single unit since they are all required parameters to configure CARP.

Ahh, after re-read, re-read and re-read i found the solution!

With 'The VPN tunnel network' they mean the subnet from the 'remote side' of the VPN tunnel.

After change it works :)

Go to Firewall > NAT > Outbound:

Make sure you have 'Manual (or Hybrid) Outbound NAT' and create an extra rule:

WAN - This Firewall - * - * - * - (WAN CARP IP) - *

Also i think you need to reboot so the apinger is refreshed.

THX for your help, and thx for the hint with udp, i think this is the problem, since the needed UDP traffic is not forwarded within these subnets.

From Cisco i remember to configure ip helper addresses, f.e. UDP: 32410, 32412, 32413, 32414.

ip helper-address 192.168.1.187
ip forward-protocol udp 32410 etc…

is there something similar on pfsense?

Do you have any other suggestions?

Yes. Upgrade.

Thanks for that! I double checked, and OpenVPN is not selected to sync.

@Derelict:

It is those who are making you do this who don't understand.

Yep.
I guess i am not the only one.

Hard to say. But if the only difference is the CARP address being used for NAT that is where I would look.

ISPs do crazy things.

Also, you want to move that static port 500 NAT rule above the rule since, if left like that, it will never be matched. Unrelated to your speed issue. Just sayin'.

Then you are doing it wrong somehow.

@jimp:

You may have some other problem causing the node to demote itself.

What does the CARP status page look like on both units?

Before leaving m.mode - old master shows all interfacess backup, backup shows all interfaces - master
after leaving m.mode - vice versa.

@jimp:

Are there any interfaces enabled but in a 'down' state either on purpose or unintentionally?

No. As I wrote upper - all interfaces is UP state and answer for icmp requests (ping - ok)

Yeah what kind of connection is this on? You will see any other CARP/VRRP on that broadcast/multicast domain. Strange to see such varying IP addresses but it depends on what you're connected to.

You can set Wireshark to decode protocol 112 as CARP though. Those other multicasts might actually be VRRP though. They can coexist.

Nothing different should apply. That is all dependent on your STP configuration but it would generally be safe to have portfast enabled I would think.

they are aleady absolutely the same for both servers (Master and Backup)

bge0 –- WAN1
bge1 --- WAN2
em0 ---- LAN
em1 ---- HA

It will use however much bandwidth it needs to communicate all of the state change information required (inserts, updates, deletes). The more traffic and states you have, the higher the sync traffic bandwidth will be.

Hello,
sorry for old post, but same question here.  Is there any solution for this?

Well go figure, re-configuring the sync interface to use igb4 instead of igb5, and then swapping the firewall rules assigned to the interface and hey presto, a working XMLRPC setup,  so devs…bug here hey?!

tcpdump -i igb4 results:

08:19:47.313327 IP 172.16.0.3 > 172.16.0.2: PFSYNCv5 len 280     update compressed count 3     eof count 1 08:19:47.758196 IP 172.16.0.2 > 172.16.0.3: PFSYNCv5 len 280     update compressed count 3     eof count 1 08:19:48.377325 IP 172.16.0.3 > 172.16.0.2: PFSYNCv5 len 196     update compressed count 2     eof count 1