@chris4916: This computer (Anne) requests IP and get offers from the 2 DHCP servers, with different IP. I'm just wondering how this work  ;) Notice that some devices are receiving same IP from each DHCP server. That is normal. They will both offer since they are both active, but whichever lease the client accepts will be shared between the two systems. @chris4916: Problem was with FW rules for incoming flow on the WAN "group" interface. Having removed these rules and replaced with rules on each WAN1 & WAN2 interface fixed this issue with incoming flow. Great!

–keepalive directive?

Hmm. I have never done an HA pair with an LDAP-configured authentication backend for the webgui (which will also be xmlrpc sync.) Later versions (including 2.4.X) fixed the long-standing issue of being unable to specify the xmlrpc username and password. It might be worth creating a local user on the primary, which should sync to the secondary, that specifically includes the System - HA node sync permission then specifying that user on the primary in the XMLRPC settings. The secondary is the one that is controlling where things are authenticated. Are you certain the user being specified is present there? Does the XMLRPC sync user and password pass on the secondary in Diagnostics > Authentication? Is there any significant delay? Are the Authentication servers specified identical on the primary and the secondary? Do both nodes pass Diagnostics > Authentication?  

You can't do that. Their AWS network will not allow the multicast between nodes, addresses are tied to specific instances, etc.

@coreybrett: If I ever run into this again and want to use the CARP option, would I need to fill in the Virtual IP Password, VHID Group or Advertising frequency when using a single firewall? Yes, you still need to fill that in even if it's a single unit since they are all required parameters to configure CARP.

Ahh, after re-read, re-read and re-read i found the solution! With 'The VPN tunnel network' they mean the subnet from the 'remote side' of the VPN tunnel. After change it works :)

Go to Firewall > NAT > Outbound: Make sure you have 'Manual (or Hybrid) Outbound NAT' and create an extra rule: WAN - This Firewall - * - * - * - (WAN CARP IP) - * Also i think you need to reboot so the apinger is refreshed.

THX for your help, and thx for the hint with udp, i think this is the problem, since the needed UDP traffic is not forwarded within these subnets. From Cisco i remember to configure ip helper addresses, f.e. UDP: 32410, 32412, 32413, 32414. ip helper-address 192.168.1.187 ip forward-protocol udp 32410 etc… is there something similar on pfsense?

Do you have any other suggestions? Yes. Upgrade.

Thanks for that! I double checked, and OpenVPN is not selected to sync.

@Derelict: It is those who are making you do this who don't understand. Yep. I guess i am not the only one.

Hard to say. But if the only difference is the CARP address being used for NAT that is where I would look. ISPs do crazy things. Also, you want to move that static port 500 NAT rule above the rule since, if left like that, it will never be matched. Unrelated to your speed issue. Just sayin'.

Then you are doing it wrong somehow.

@jimp: You may have some other problem causing the node to demote itself. What does the CARP status page look like on both units? Before leaving m.mode - old master shows all interfacess backup, backup shows all interfaces - master after leaving m.mode - vice versa. @jimp: Are there any interfaces enabled but in a 'down' state either on purpose or unintentionally? No. As I wrote upper - all interfaces is UP state and answer for icmp requests (ping - ok)

Yeah what kind of connection is this on? You will see any other CARP/VRRP on that broadcast/multicast domain. Strange to see such varying IP addresses but it depends on what you're connected to. You can set Wireshark to decode protocol 112 as CARP though. Those other multicasts might actually be VRRP though. They can coexist.

Nothing different should apply. That is all dependent on your STP configuration but it would generally be safe to have portfast enabled I would think.