Hi, you might take a look into a lagg. This is what I have done. Two interface going to two switches. This are bound in a failover. On top of this you can setup carp. This eliminates the bridging and the problem that brings it in.

Anyone, please ?

So you just want the traffic from each LAN to appear to exit from a different VIP when it leaves WAN? You can do that easily with outbound NAT. 1. Add the VIPs if you haven't already, and make sure they work 2. Firewall > NAT, Outbound tab, set it to Hybrid mode and save. 3. Add a rule on that page for the WAN interface, match a source of the first LAN subnet, translation address is your first VIP 4. Copy that rule, change the source to your second LAN, and set the translation address to your second VIP If you only have one VIP and want to use the WAN address for one of those, you can do that too, just set the translation addresses to be whatever you need/want. Anything beyond that (like stopping the networks from reaching each other) is up to your local rules on their interfaces, the outbound NAT only controls what happens when their traffic exits WAN.

Yes, the CARP traffic is allowed automatically. It is far too easy for user rules to break CARP unintentionally, and since it is multicast and thus only found in the local L2 segment, it is not a significant risk to allow the traffic. The automatic CARP rules also exempt CARP traffic from NAT.

Tjis issue is resolved

You can select what to be synced in System > High Availability Sync. pfBlockerNG and Suricata have options to enable sync of all settings, other packages may also have sync options.

@chris4916: This computer (Anne) requests IP and get offers from the 2 DHCP servers, with different IP. I'm just wondering how this work  ;) Notice that some devices are receiving same IP from each DHCP server. That is normal. They will both offer since they are both active, but whichever lease the client accepts will be shared between the two systems. @chris4916: Problem was with FW rules for incoming flow on the WAN "group" interface. Having removed these rules and replaced with rules on each WAN1 & WAN2 interface fixed this issue with incoming flow. Great!

–keepalive directive?

Hmm. I have never done an HA pair with an LDAP-configured authentication backend for the webgui (which will also be xmlrpc sync.) Later versions (including 2.4.X) fixed the long-standing issue of being unable to specify the xmlrpc username and password. It might be worth creating a local user on the primary, which should sync to the secondary, that specifically includes the System - HA node sync permission then specifying that user on the primary in the XMLRPC settings. The secondary is the one that is controlling where things are authenticated. Are you certain the user being specified is present there? Does the XMLRPC sync user and password pass on the secondary in Diagnostics > Authentication? Is there any significant delay? Are the Authentication servers specified identical on the primary and the secondary? Do both nodes pass Diagnostics > Authentication?  

You can't do that. Their AWS network will not allow the multicast between nodes, addresses are tied to specific instances, etc.

@coreybrett: If I ever run into this again and want to use the CARP option, would I need to fill in the Virtual IP Password, VHID Group or Advertising frequency when using a single firewall? Yes, you still need to fill that in even if it's a single unit since they are all required parameters to configure CARP.

Ahh, after re-read, re-read and re-read i found the solution! With 'The VPN tunnel network' they mean the subnet from the 'remote side' of the VPN tunnel. After change it works :)

Go to Firewall > NAT > Outbound: Make sure you have 'Manual (or Hybrid) Outbound NAT' and create an extra rule: WAN - This Firewall - * - * - * - (WAN CARP IP) - * Also i think you need to reboot so the apinger is refreshed.

THX for your help, and thx for the hint with udp, i think this is the problem, since the needed UDP traffic is not forwarded within these subnets. From Cisco i remember to configure ip helper addresses, f.e. UDP: 32410, 32412, 32413, 32414. ip helper-address 192.168.1.187 ip forward-protocol udp 32410 etc… is there something similar on pfsense?

Do you have any other suggestions? Yes. Upgrade.

Thanks for that! I double checked, and OpenVPN is not selected to sync.